A first hand look from the .NET engineering teams
The .NET team released a security bulletin and a security advisory today as part of the monthly “patch Tuesday” cycle.
Microsoft Security Bulletin MS14-026 - Important, Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2958732)
This update resolves a privately reported vulnerability in the Microsoft .NET Framework that could allow elevation of privilege if an unauthenticated attacker sends specially crafted data to an affected workstation or server that has the .NET Framework Remoting feature enabled.
This security update is rated Important for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, Microsoft .NET Framework 4.5, and Microsoft .NET Framework 4.5.1 on affected editions of Microsoft Windows.
More details about the versions affected by this vulnerability can be found in the security bulletin MS14-026.
Microsoft Security Advisory 2960358 - Important, Update for Disabling RC4 in .NET TLS (2960358)
Microsoft is announcing the availability of an update for Microsoft .NET Framework that disables RC4 in Transport Layer Security (TLS) through the modification of the system registry. Use of RC4 in TLS could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions.
Microsoft recommends that customers download and test the updates before deploying them in their environments as soon as possible. Please see the Suggested Actions section of this advisory for more information.
This update requires pre-installation of the 2868725 update released in November, 2013. For more information see Microsoft Knowledge Base Article 2868725.
This security update is rated Important for Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, Microsoft .NET Framework 4.5, Microsoft .NET Framework 4.5.1 and Microsoft .NET Framework 4.5.2 on affected editions of Microsoft Windows.
Due to new behavior that restricts the unsecured RC4 cipher, the updates addressed in this advisory are being provided via the Microsoft Download Center and Microsoft Update Catalog only. The updates are not being provided via Windows Update in order to give customers the ability to plan and test the new settings for disabling RC4 prior to implementation in their environments.
More details about the versions affected by this vulnerability can be found in the Microsoft Security Advisory 2960358.
How to obtain help and support for this security update