Many customers try hard not to have to update the .NET code for Windows. These days, some consider every Windows update as a potential timebomb, but the .NET updates have a long history of being a difficult problem child.
Microsoft delivered .NET updates for February 2019 and these updates come with some fixes that may cause some to do a double-take. These may warrant some heightened attention.
Here is what’s up…
CVE-2019-0613 – Remote Code Execution Vulnerability
This security update resolves a vulnerability in .NET Framework software if the software does not check the source markup of a file. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on by using administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who have administrative user rights.
This security update resolves a vulnerability in certain .NET Framework APIs that parse URLs. An attacker who successfully exploits this vulnerability could use it to bypass security logic that’s intended to make sure that a user-provided URL belonged to a specific host name or a subdomain of that host name. This could be used to cause privileged communication to be made to an untrusted service as if it were a trusted service.
The updates are available through normal means (Windows Update, Windows Server Update Services, Microsoft Update Catalog).