Microsoft Security Advisory 2905247

Insecure ASP.NET Site Configuration Could Allow Elevation of Privilege

Published: December 10, 2013 | Updated: September 9, 2014

Version: 2.0

General Information

Executive Summary

Microsoft is announcing the availability of an update for Microsoft ASP.NET to address a vulnerability in ASP.NET view state that exists when Machine Authentication Code (MAC) validation is disabled through configuration settings. The vulnerability could allow elevation of privilege and affects Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, and Microsoft .NET Framework 4.5/4.5.1.

Any ASP.NET site for which view state MAC has become disabled through configuration settings is vulnerable to attack. An attacker who successfully exploited the vulnerability could use specially crafted HTTP content to inject code to be run in the context of the service account on the ASP.NET server. Microsoft is aware of general information available publicly that could be used to exploit this vulnerability, but is not aware of any active attacks.

Mitigating Factors:

  • View state MAC is enabled by default for ASP.NET sites.

Recommendation. Microsoft recommends that customers apply the suggested action to ensure that ASP.NET view state MAC remains enabled on ASP.NET sites. Please see the Suggested Actions section of this advisory for more information.

Advisory Details

Vulnerability References

For more information about this issue, see the following references:

References Identification
Microsoft Knowledge Base Article 2905247
File information Yes
SHA1/SHA2 hashes Yes
Known issues None

Affected Software

This advisory discusses the following software.

Affected Software

Operating System Component Bulletins Replaced
Windows Server 2003
Windows Server 2003 Service Pack 2 Microsoft .NET Framework 1.1 Service Pack 1
(2894845)
None
Windows Server 2003 Service Pack 2 Microsoft .NET Framework 2.0 Service Pack 2
(2894843)
2656352 in MS11-100 and 2418241 in MS10-070
Windows Server 2003 Service Pack 2 Microsoft .NET Framework 4[1] (2894842) 2901110 in MS14-009 and 2656351 in MS11-100
Windows Server 2003 x64 Edition Service Pack 2 Microsoft .NET Framework 2.0 Service Pack 2
(2894843)
2656352 in MS11-100 and 2418241 in MS10-070
Windows Server 2003 x64 Edition Service Pack 2 Microsoft .NET Framework 4[1] (2894842) 2901110 in MS14-009 and 2656351 in MS11-100
Windows Server 2003 with SP2 for Itanium-based Systems Microsoft .NET Framework 2.0 Service Pack 2
(2894843)
2656352 in MS11-100 and 2418241 in MS10-070
Windows Server 2003 with SP2 for Itanium-based Systems Microsoft .NET Framework 4[1] (2894842) 2901110 in MS14-009 and 2656351 in MS11-100
Windows Vista
Windows Vista Service Pack 2 Microsoft .NET Framework 2.0 Service Pack 2
(2894847)
2656362 in MS11-100 and 2416470 in MS10-070
Windows Vista Service Pack 2 Microsoft .NET Framework 4[1] (2894842) 2901110 in MS14-009 and 2656351 in MS11-100
Windows Vista Service Pack 2 Microsoft .NET Framework 4.5/4.5.1
(2894854)
2901126 in MS14-009
Windows Vista x64 Edition Service Pack 2 Microsoft .NET Framework 2.0 Service Pack 2
(2894847)
2656362 in MS11-100 and 2416470 in MS10-070
Windows Vista x64 Edition Service Pack 2 Microsoft .NET Framework 4[1] (2894842) 2901110 in MS14-009 and 2656351 in MS11-100
Windows Vista x64 Edition Service Pack 2 Microsoft .NET Framework 4.5/4.5.1
(2894854)
2901126 in MS14-009
Windows Server 2008
Windows Server 2008 for 32-bit Systems Service Pack 2 Microsoft .NET Framework 2.0 Service Pack 2
(2894847)
2656362 in MS11-100 and 2416470 in MS10-070
Windows Server 2008 for 32-bit Systems Service Pack 2 Microsoft .NET Framework 4[1] (2894842) 2901110 in MS14-009 and 2656351 in MS11-100
Windows Server 2008 for 32-bit Systems Service Pack 2 Microsoft .NET Framework 4.5/4.5.1
(2894854)
2901126 in MS14-009
Windows Server 2008 for x64-based Systems Service Pack 2 Microsoft .NET Framework 2.0 Service Pack 2
(2894847)
2656362 in MS11-100 and 2416470 in MS10-070
Windows Server 2008 for x64-based Systems Service Pack 2 Microsoft .NET Framework 4[1] (2894842) 2901110 in MS14-009 and 2656351 in MS11-100
Windows Server 2008 for x64-based Systems Service Pack 2 Microsoft .NET Framework 4.5/4.5.1
(2894854)
2901126 in MS14-009
Windows Server 2008 for Itanium-based Systems Service Pack 2 Microsoft .NET Framework 2.0 Service Pack 2
(2894847)
2656362 in MS11-100 and 2416470 in MS10-070
Windows Server 2008 for Itanium-based Systems Service Pack 2 Microsoft .NET Framework 4[1] (2894842) 2901110 in MS14-009 and 2656351 in MS11-100
Windows 7
Windows 7 for 32-bit Systems Service Pack 1 Microsoft .NET Framework 3.5.1
(2894844)
None
Windows 7 for 32-bit Systems Service Pack 1 Microsoft .NET Framework 4[1] (2894842) 2901110 in MS14-009 and 2656351 in MS11-100
Windows 7 for 32-bit Systems Service Pack 1 Microsoft .NET Framework 4.5/4.5.1
(2894854)
2901126 in MS14-009
Windows 7 for x64-based Systems Service Pack 1 Microsoft .NET Framework 3.5.1
(2894844)
None
Windows 7 for x64-based Systems Service Pack 1 Microsoft .NET Framework 4[1] (2894842) 2901110 in MS14-009 and 2656351 in MS11-100
Windows 7 for x64-based Systems Service Pack 1 Microsoft .NET Framework 4.5/4.5.1
(2894854)
2901126 in MS14-009
Windows Server 2008 R2
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Microsoft .NET Framework 3.5.1
(2894844)
None
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Microsoft .NET Framework 4[1] (2894842) 2901110 in MS14-009 and 2656351 in MS11-100
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Microsoft .NET Framework 4.5/4.5.1
(2894854)
2901126 in MS14-009
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Microsoft .NET Framework 3.5.1
(2894844)
None
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Microsoft .NET Framework 4[1] (2894842) 2901110 in MS14-009 and 2656351 in MS11-100
Windows 8 and Windows 8.1
Windows 8 for 32-bit Systems Microsoft .NET Framework 3.5
(2894851)
None
Windows 8 for 32-bit Systems Microsoft .NET Framework 4.5/4.5.1
(2894855)
2901127 in MS14-009
Windows 8 for 64-bit Systems Microsoft .NET Framework 3.5
(2894851)
None
Windows 8 for 64-bit Systems Microsoft .NET Framework 4.5/4.5.1
(2894855)
2901127 in MS14-009
Windows 8.1 for 32-bit Systems Microsoft .NET Framework 3.5
(2894852)
2901125 in MS14-009
Windows 8.1 for 32-bit Systems Microsoft .NET Framework 4.5.1
(2894856)
2901128 in MS14-009
Windows 8.1 for 64-bit Systems Microsoft .NET Framework 3.5
(2894852)
2901125 in MS14-009
Windows 8.1 for 64-bit Systems Microsoft .NET Framework 4.5.1
(2894856)
2901128 in MS14-009
Windows Server 2012 and Windows Server 2012 R2
Windows Server 2012 Microsoft .NET Framework 3.5
(2894851)
None
Windows Server 2012 Microsoft .NET Framework 4.5/4.5.1
(2894855)
2901127 in MS14-009
Windows Server 2012 R2 Microsoft .NET Framework 3.5
(2894852)
2901125 in MS14-009
Windows Server 2012 R2 Microsoft .NET Framework 4.5.1
(2894856)
2901128 in MS14-009
Windows RT and Windows RT 8.1
Windows RT Microsoft .NET Framework 4.5/4.5.1
(2894855)
2901127 in MS14-009
Windows RT 8.1 Microsoft .NET Framework 4.5.1
(2894856)
2901128 in MS14-009
Server Core installation option
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Microsoft .NET Framework 3.5.1
(2894844)
None
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Microsoft .NET Framework 4[1] (2894842) 2901110 in MS14-009 and 2656351 in MS11-100
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Microsoft .NET Framework 4.5/4.5.1
(2894854)
2901126 in MS14-009
Windows Server 2012 (Server Core installation) Microsoft .NET Framework 3.5
(2894851)
None
Windows Server 2012 (Server Core installation) Microsoft .NET Framework 4.5/4.5.1
(2894855)
2901127 in MS14-009
Windows Server 2012 R2 (Server Core installation) Microsoft .NET Framework 3.5
(2894852)
2901125 in MS14-009
Windows Server 2012 R2 (Server Core installation) Microsoft .NET Framework 4.5.1
(2894856)
2901128 in MS14-009

Non-Affected Software

Microsoft .NET Framework 1.0 Service Pack 3
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.5.2

Non-Applicable Software

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Advisory FAQ

Why was this advisory rereleased on September 9, 2014?
This advisory was rereleased to offer the security update via Microsoft Update, in addition to the Download-Center-only option that was provided when this advisory was originally released.

Furthermore, the updates for the following affected software were rereleased to address an issue that occasionally caused Page.IsPostBack to return an incorrect value:

.NET Framework Version Operating Systems Update Number
Microsoft .NET Framework 3.5 Windows 8.1 and Windows Server 2012 only 2894852
Microsoft .NET Framework 4 Windows Server 2003 Service Pack 2, Windows Vista Service Pack 2, Windows 2008 Service pack 2, Windows 7 Service Pack 1, and Windows Server 2008 R2 Service Pack 1 2894842
Microsoft .NET Framework 4.5 Windows Vista, Windows Server 2008 Service Pack 2, Windows 7, and Windows Server 2008 R2 Service Pack 1 2894854
Microsoft .NET Framework 4.5.1 Windows Vista, Windows Server 2008 Service Pack 2, Windows 7, and Windows Server 2008 R2 Service Pack 1 2894854
Microsoft .NET Framework 4.5.1 Windows 8, Windows Server 2012, and Windows RT 2894855
Microsoft .NET Framework 4.5.1 Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1 2894856

Customers who have already installed any of the above updates should reapply the updates to be protected from the vulnerability addressed in this advisory. For the remainder of the affected software not included in this list, customers who have already successfully updated their systems do not need to take any action.

What is the scope of the advisory?
The purpose of this advisory is to notify customers that Microsoft is publishing an update to enable administrators to configure their ASP.NET servers to ensure that view state MAC remains enabled at all times, as well as to provide general guidance on how to enable view state MAC on IIS servers.

What is view state?
View state is an ASP.NET feature that enables web developers to maintain page state and persist data in a web form across POST requests, or page updates and changes. View state is used prevalently by ASP.NET developers and, as such, is ubiquitous throughout ASP.NET sites. View state is always parsed, even if the EnableViewState property is set to False. For more information, see Understanding ASP.NET View State.

Will disabling view state mitigate the vulnerability?
No. View state is always parsed by the ASP.NET server, even when EnableViewState is set to False, regardless of whether or not the property is set in web.config, the @Page directive, or an ASP.NET tag. It is possible for an attacker to inject a view state property into a client post, bypassing the EnableViewState setting.

What is view state MAC Validation?
View state MAC (Machine Authentication Code) validation is a feature that causes ASP.NET to generate a hash of the view state data at page generation time. The hash is later used for comparison to the view state on a later postback, allowing the server to verify whether or not view state has been tampered with. This technology ensures that postback data has not been modified improperly and mitigates the vulnerability described in this advisory.

What might an attacker use the vulnerability to do?
In most scenarios, an attacker who successfully exploited this vulnerability could elevate privileges to the level of the service account running on the vulnerable ASP.NET site (one with an improperly configured view state MAC).

How could an attacker exploit the vulnerability?
An unauthenticated attacker could send specially crafted HTTP content to the targeted server, potentially allowing the attacker to run code on the server in the context of the service account running on the ASP.NET site.

What does the update do?
The update addresses the vulnerability by causing view state MAC to be enabled at all times, removing the ability to disable it on the server.

What additional actions must customers take following the installation of the update?
The nature of the fix requires that some customers, particularly those using ASP.NET in a web farm, take additional actions to ensure consistent availability of their ASP.NET sites. See the Suggested Actions section below for additional configuration steps.

How do I determine which version of the Microsoft .NET Framework is installed?
You can install and run multiple versions of the .NET Framework on a system, and you can install the versions in any order. There are several ways to determine which versions of the .NET Framework are currently installed. For more information, see Microsoft Knowledge Base Article 318785.****

What is the difference between .NET Framework 4 and .NET Framework 4 Client Profile?
The .NET Framework version 4 redistributable packages are available in two profiles: .NET Framework 4 and .NET Framework 4 Client Profile. The .NET Framework 4 Client Profile is a subset of the .NET Framework 4 profile that is optimized for client applications. It provides functionality for most client applications, including Windows Presentation Foundation (WPF), Windows Forms, Windows Communication Foundation (WCF), and ClickOnce features. This enables faster deployment and a smaller install package for applications that target the .NET Framework 4 Client Profile. For more information, see the MSDN article, .NET Framework Client Profile.

I have .NET Framework 3.0 Service Pack 2 installed; this version is not listed among the affected software in this bulletin. Do I need to install an update?
This bulletin describes a vulnerability that affects the .NET Framework 2.0 feature layer. The .NET Framework 3.0 Service Pack 2 installer chains in the .NET Framework 2.0 Service Pack 2 setup, so installing the former also installs the latter. Therefore, customers who have.NET Framework 3.0 Service Pack 2 installed need to install security updates for .NET Framework 2.0 Service Pack 2.

I have .NET Framework 3.5 Service Pack 1 installed. Do I need to install any updates?
This bulletin describes a vulnerability that affects the .NET Framework 2.0 feature layer. The .NET Framework 3.5 Service Pack 1 installer chains in both the .NET Framework 2.0 Service Pack 2 setup and the .NET Framework 3.0 Service Pack 2 setup. Therefore, customers who have .NET Framework 3.5 Service Pack 1 installed need to install security updates for.NET Framework 2.0 Service Pack 2.

Suggested Actions

<<<<<<< HEAD

- **Apply the update for affected releases of Microsoft .NET Framework **

  • Apply the update for affected releases of Microsoft .NET Framework

    Task 1079262 - QA done

    Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871. For customers who do not have automatic updating enabled, the steps in Turn automatic updating on or off can be used to enable automatic updating.

    For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update at the earliest opportunity using update management software, or by checking for updates using the Microsoft Update service. The updates are also accessible via the Microsoft Download center hyperlinks in the Affected Software table of this advisory. For information on how to manually apply the updates, see Microsoft Knowledge Base Article 2905247.

  • For administrators and enterprise installations with web-farm scenarios
    Microsoft recommends following the guidance available in Microsoft Knowledge Base Article 2915218.

Additional Suggested Actions

  • Protect your PC
    We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center.
  • Keep Microsoft Software Updated
    Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.

Security Update Deployment

Windows Server 2003 (all editions)

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup.
Security update file names For Microsoft .NET Framework 1.1 Service Pack 1 when installed on all supported 32-bit editions of Windows Server 2003 SP2:
WindowsServer2003-KB2894845-x86-ENU.exe

For Microsoft .NET Framework 2.0 Service Pack 2 when installed on all supported 32-bit editions of Windows Server 2003:
NDP20SP2-KB2894843-x86.exe

For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Server 2003:
NDP40-KB2894842-V2-x86.exe

For Microsoft .NET Framework 2.0 Service Pack 2 when installed on all supported x64-based editions of Windows Server 2003:
NDP20SP2-KB2894843-x64.exe

For Microsoft .NET Framework 4 when installed on all supported x64-based editions of Windows Server 2003:
NDP40-KB2894842-V2-x64.exe

For Microsoft .NET Framework 2.0 Service Pack 2 when installed on all supported Itanium-based editions of Windows Server 2003:
NDP20SP2-KB2894843-IA64.exe

For Microsoft .NET Framework 4 when installed on all supported Itanium-based editions of Windows Server 2003:
NDP40-KB2894842-V2-IA64.exe
Installation switches See Microsoft Knowledge Base Article 2844699
Update log file For Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2003 Service Pack 2:
KB2894845.log

For Microsoft .NET Framework 2.0 Service Pack 2:
Microsoft .NET Framework 2.0-KB2894843_-msi0.txt
Microsoft .NET Framework 2.0-KB2894843_
.html

For Microsoft .NET Framework 4:
KB2894842__-Microsoft .NET Framework 4 Client Profile-MSP0.txt
KB2894842__.html
Restart requirement In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.

To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.
Removal information Use the Add or Remove Programs item in Control Panel.
File information See Microsoft Knowledge Base Article 2905247
Registry key verification For Microsoft .NET Framework 1.1 Service Pack 1 on all supported 32-bit editions of Windows Server 2003:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP3\KB2894845</td>

For Microsoft .NET Framework 2.0 Service Pack 2:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 2.0 Service Pack 2\SP2\KB2894843
"ThisVersionInstalled" = "Y"

For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Server 2003:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842v2
"ThisVersionInstalled" = "Y"

For Microsoft .NET Framework 4 when installed on all supported x64-based editions and Itanium-based editions of Windows Server 2003:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842v2
"ThisVersionInstalled" = "Y"

Windows Vista (all editions)

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup.
Security update file names For Microsoft .NET Framework 2.0 Service Pack 2 on all supported 32-bit editions of Windows Vista:
Windows6.0-KB2894847-x86.msu

For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Vista:
NDP40-KB2894842-V2-x86.exe

For Microsoft .NET Framework 4.5/4.5.1 when installed on all supported 32-bit editions of Windows Vista:
NDP45-KB2894854-V2-x86.exe

For Microsoft .NET Framework 2.0 Service Pack 2 on all supported x64-based editions of Windows Vista:
Windows6.0-KB2894847-x64.msu

For Microsoft .NET Framework 4 when installed on all supported x64-based editions of Windows Vista:
NDP40-KB2894842-V2-x64.exe

For Microsoft .NET Framework 4.5/4.5.1 when installed on all supported x64-based editions of Windows Vista:
NDP45-KB2894854-V2-x64.exe
Installation switches See Microsoft Knowledge Base Article 2844699
Update log file For Microsoft .NET Framework 2.0 Service Pack 2:
Not applicable

For Microsoft .NET Framework 4:
KB2894842__-Microsoft .NET Framework 4 Client Profile-MSP0.txt
KB2894842__.html

For Microsoft .NET Framework 4.5/4.5.1:
KB[nnnnnnn]*-Microsoft .NET Framework [.NET target version]-MSP0.txt KB[nnnnnnn]__*.html
Restart requirement This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.
Removal information Click Control Panel, and then click Security. Under Windows Update, click View installed updates and select from the list of updates.
File information See Microsoft Knowledge Base Article 2905247
Registry key verification For Microsoft .NET Framework 2.0 Service Pack 2:
Note A registry key does not exist to validate the presence of this update. Use WMI to detect for the presence of this update.

For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Vista:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842v2
"ThisVersionInstalled" = "Y"

For Microsoft .NET Framework 4 when installed on all supported x64-based and Itanium-based editions of Windows Vista:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842v2
"ThisVersionInstalled" = "Y"

For Microsoft .NET Framework 4.5/4.5.1:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework [.NET target version]\KB[nnnnnnn]v2
"ThisVersionInstalled" = "Y"

Windows Server 2008 (all editions)

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Security update file names For Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2:
Windows6.0-KB2894847-x86.msu

For Microsoft .NET Framework 4 when installed on Windows Server 2008 for 32-bit Systems Service Pack 2:
NDP40-KB2894842-V2-x86.exe

For Microsoft .NET Framework 4.5/4.5.1 when installed on Windows Server 2008 for 32-bit Systems Service Pack 2:
NDP45-KB2894854-V2-x86.exe

For Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2:
Windows6.0-KB2894847-x64.msu

For Microsoft .NET Framework 4 when installed on Windows Server 2008 for x64-based Systems Service Pack 2:
NDP40-KB2894842-V2-x64.exe

For Microsoft .NET Framework 4.5/4.5.1 when installed on Windows Server 2008 for x64-based Systems Service Pack 2:
NDP45-KB2894854-V2-x64.exe

For Microsoft .NET Framework 2.0 Service Pack 2 on all supported Itanium-based editions of Windows Server 2008:
Windows6.0-KB2894847-ia64.msu

For Microsoft .NET Framework 4 when installed on Windows Server 2008 for Itanium-based Systems Service Pack 2:
NDP40-KB2894842-V2-IA64.exe
Installation switches See Microsoft Knowledge Base Article 2844699
Update log file For Microsoft .NET Framework 2.0 Service Pack 2:
Not applicable

For Microsoft .NET Framework 4:
KB2894842__-Microsoft .NET Framework 4 Client Profile-MSP0.txt
KB2894842__.html

For Microsoft .NET Framework 4.5/4.5.1:
KB[nnnnnnn]*-Microsoft .NET Framework [.NET target version]-MSP0.txt KB[nnnnnnn]__*.html
Restart requirement This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.
Removal information Click Control Panel, and then click Security. Under Windows Update, click View installed updates and select from the list of updates.
File information See Microsoft Knowledge Base Article 2905247
Registry key verification For Microsoft .NET Framework 2.0 Service Pack 2:
Note A registry key does not exist to validate the presence of this update. Use WMI to detect for the presence of this update.

For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Server 2008:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842v2
"ThisVersionInstalled" = "Y"

For Microsoft .NET Framework 4 when installed on all supported x64-based and Itanium-based editions of Windows Server 2008:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842v2
"ThisVersionInstalled" = "Y"

For Microsoft .NET Framework 4.5/4.5.1:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework [.NET target version]\KB[nnnnnnn]v2
"ThisVersionInstalled" = "Y"

Windows 7 (all editions)

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Security update file name For Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems Service Pack 1:
Windows6.1-KB2894844-x86.msu

For Microsoft .NET Framework 4 when installed on Windows 7 for 32-bit Systems Service Pack 1:
NDP40-KB2894842-V2-x86.exe

For Microsoft .NET Framework 4.5/4.5.1 when installed on Windows 7 for 32-bit Systems Service Pack 1:
NDP45-KB2894854-V2-x86.exe

For Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems Service Pack 1:
Windows6.1-KB2894844-x64.msu

For Microsoft .NET Framework 4 when installed on Windows 7 for x64-based Systems Service Pack 1:
NDP40-KB2894842-V2-x64.exe

For Microsoft .NET Framework 4.5.1 when installed on Windows 7 for x64-based Systems Service Pack 1:
NDP45-KB2894854-V2-x64.exe
Installation switches See Microsoft Knowledge Base Article 2844699
Update log file For Microsoft .NET Framework 3.5.1:
Not applicable

For Microsoft .NET Framework 4:
KB2894842__-Microsoft .NET Framework 4 Client Profile-MSP0.txt
KB2894842__.html

For Microsoft .NET Framework 4.5/4.5.1:
KB[nnnnnnn]*-Microsoft .NET Framework [.NET target version]-MSP0.txt KB[nnnnnnn]__*.html
Restart requirement This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.
Removal information Click Control Panel, click System and Security, and then under Windows Update, click View installed updates and select from the list of updates.
File information See Microsoft Knowledge Base Article 2905247
Registry key verification For Microsoft .NET Framework 3.5.1:
Note A registry key does not exist to validate the presence of this update. Use WMI to detect for the presence of this update.

For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows 7:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842v2
"ThisVersionInstalled" = "Y"

For Microsoft .NET Framework 4 when installed on all supported x64-based editions of Windows 7:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842v2
"ThisVersionInstalled" = "Y"

For Microsoft .NET Framework 4.5/4.5.1:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework [.NET target version]\KB[nnnnnnn]v2
"ThisVersionInstalled" = "Y"

Windows Server 2008 R2 (all editions)

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Security update file name For Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1:
Windows6.1-KB2894844-x64.msu

For Microsoft .NET Framework 4 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1:
NDP40-KB2894842-V2-x64.exe

For Microsoft .NET Framework 4.5.1 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1:
NDP45-KB2894854-V2-x64.exe

For Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for Itanium-based Systems Service Pack 1:
Windows6.1-KB2894844-ia64.msu

For Microsoft .NET Framework 4 when installed on Windows Server 2008 R2 for Itanium-based Systems Service Pack 1:
NDP40-KB2894842-V2-IA64.exe
Installation switches See Microsoft Knowledge Base Article 2844699
Update log file For Microsoft .NET Framework 3.5.1:
Not applicable

For Microsoft .NET Framework 4:
KB2894842__-Microsoft .NET Framework 4 Client Profile-MSP0.txt
KB2894842__.html

For Microsoft .NET Framework 4.5/4.5.1:
KB[nnnnnnn]*-Microsoft .NET Framework [.NET target version]-MSP0.txt KB[nnnnnnn]__*.html
Restart requirement This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.
Removal information Click Control Panel, click System and Security, and then under Windows Update, click View installed updates and select from the list of updates.
File information See Microsoft Knowledge Base Article 2905247
Registry key verification For Microsoft .NET Framework 3.5.1:
Note A registry key does not exist to validate the presence of this update. Use WMI to detect for the presence of this update.

For Microsoft .NET Framework 4:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842v2
"ThisVersionInstalled" = "Y"

For Microsoft .NET Framework 4.5/4.5.1:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework [.NET target version]\KB[nnnnnnn]v2 "ThisVersionInstalled" = "Y"

Windows 8 (all editions) and Windows 8.1 (all editions)

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Security update file name For Microsoft .NET Framework 3.5 on Windows 8 for 32-bit Systems:
Windows8-RT-KB2894851-x86.msu

For Microsoft .NET Framework 4.5/4.5.1 on Windows 8 for 32-bit Systems:
Windows8-RT-KB2894855-V2-x86.msu

For Microsoft .NET Framework 3.5 on Windows 8 for 64-bit Systems:
Windows8-RT-KB2894851-x64.msu

For Microsoft .NET Framework 4.5/4.5.1 on Windows 8 for 64-bit Systems:
Windows8-RT-KB2894855-V2-x64.msu

For Microsoft .NET Framework 3.5 on Windows 8.1 for 32-bit Systems:
Windows8.1-KB2894852-V2-x86.msu

For Microsoft .NET Framework 4.5.1 on Windows 8.1 for 32-bit Systems:
Windows8.1-KB2894856-V2-x86.msu

For Microsoft .NET Framework 3.5 on Windows 8.1 for 64-bit Systems:
Windows8.1-KB2894852-V2-x64.msu

For Microsoft .NET Framework 4.5.1 on Windows 8.1 for 64-bit Systems:
Windows8.1-KB2894856-V2-x64.msu
Installation switches See Microsoft Knowledge Base Article 2844699
Restart requirement This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.
Removal information Click Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates and select from the list of updates.
File information See Microsoft Knowledge Base Article 2905247
Registry key verification For Microsoft .NET Framework 3.5:
Note A registry key does not exist to validate the presence of this update. Use WMI to detect for the presence of this update.

For Microsoft .NET Framework 4.5/4.5.1: Note A registry key does not exist to validate the presence of this update. Use WMI to detect for the presence of this update.

Windows Server 2012 (all editions) and Windows Server 2012 R2 (all editions)

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Security update file name For Microsoft .NET Framework 3.5 on Windows Server 2012:
Windows8-RT-KB2894851-x64.msu

For Microsoft .NET Framework 4.5/4.5.1 on Windows Server 2012:
Windows8-RT-KB2894855-V2-x64.msu

For Microsoft .NET Framework 3.5 on Windows Server 2012 R2:
Windows8.1-KB2894852-V2-x64.msu

For Microsoft .NET Framework 4.5.1 on Windows Server 2012 R2:
Windows8.1-KB2894856-V2-x64.msu
Installation switches See Microsoft Knowledge Base Article 2844699
Restart requirement This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.
Removal information Click Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates and select from the list of updates.
File information See Microsoft Knowledge Base Article 2905247
Registry key verification Note A registry key does not exist to validate the presence of this update.

Windows RT (all editions) and Windows RT 8.1 (all editions)

Reference Table

The following table contains the security update information for this software.

Deployment For Microsoft .NET Framework 4.5 and 4.5.1 on Windows RT:
The 2894855 update is available via Windows Update

For Microsoft .NET Framework 4.5.1 on Windows RT 8.1:
The 2894856 update is available via Windows Update
Restart Requirement Yes, you must restart your system after you apply this security update.
Removal Information Click Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates and select from the list of updates.
File Information See Microsoft Knowledge Base Article 2905247

Other Information

Feedback

Support

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

V1.0 (December 10, 2013): Advisory published.

V2.0 (September 9, 2013): Advisory rereleased to announce the offering of the security update via Microsoft Update, in addition to the Download-Center-only option that was provided when this advisory was originally released. Additionally, some of the updates were reissued to improve their quality. See the Update FAQ for details.

Page generated 2014-09-04 11:06Z-07:00.