question

DucaStefan-2953 avatar image
0 Votes"
DucaStefan-2953 asked AnnaXiu-MSFT edited

.Net 4.8 Framework offline installer - security updates included

Hopefully someone can help with this.

Since the initial .Net 4.8 Framework release, there are a number of vulnerabilities reported that were fixed by Microsoft and are available as security updates on Windows Update or as cumulative updates.

My question is related however with the strategy for delivering and documenting the fixed vulnerabilities within the offline installer. If I download the offline installer today, I will get the version 4.8.0 Build 4115 installed (which is the latest released one as far as I am aware). This differs is newer than the version that one would have gotten if one downloaded the offline installer say end of last year.

My expectation would be that security relevant fixes are included in the new version, so if installing from the offline installer today on a system where no .Net 4.8 was previously installed, then the security updates are already installed by the installer and they should no longer be offered over Windows Update. Is this the case?

In general I am also searching for a location where the build number a certain vulnerability was fixed in is documented.

Starting from an example: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0646, no information on build the issue is first fixed for 4.8 can be obtained (i.e. even if navigating to the KB article for a given platform (let's say Win 10/.Net 4.8).


not-supported
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AnnaXiu-MSFT avatar image
0 Votes"
AnnaXiu-MSFT answered

Hi @DucaStefan-2953 ,

Welcome to Microsoft Q&A!

About Security Update, please directly send your feedback here:
Security Update Guide Feedback

Thanks for your understanding.

Sincerely,
Anna


If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

abbodi86-0005 avatar image
0 Votes"
abbodi86-0005 answered

The difference between latest installer 4.8.4115.0 and previous installer 4.8.3928.0 only affect Windows 7
they removed exe SHA1 digital signature and resigned bundled update KB4503575.msp with SHA2

neither include any security updates, and the bundled updates for Windows 10 and 8.1 have not changed (same as January 2020)

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.