MS14-059: Description of the security update for ASP.NET MVC 4.0: October 14, 2014

2020-04-13T04:08:35
ID KB2993928
Type mskb
Reporter Microsoft
Modified 2020-04-16T07:55:17

Description

<html><body><p>Describes a security update that resolves a vulnerability in ASP.NET MVC that could allow security feature bypass if an attacker convinces a user to click a specially crafted link or to go to a webpage that contains specially crafted content.</p><h2></h2><div class="kb-notice-section section"><span></span><a bookmark-id="appliestoproducts" href="#appliestoproducts" managed-link="" target="">View products that this article applies to.</a></div><h2>INTRODUCTION</h2><div class="kb-summary-section section">Microsoft has released security bulletin MS14-059. To learn more about this security bulletin:<br/><ul class="sbody-free_list"><li>Home users:<br/><div class="indent"><a href="https://www.microsoft.com/security/pc-security/updates.aspx" id="kb-link-1" target="_self">https://www.microsoft.com/security/pc-security/updates.aspx</a></div><span class="text-base">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update website now:<br/><div class="indent"><a href="https://update.microsoft.com/microsoftupdate/" id="kb-link-2" target="_self">https://update.microsoft.com/microsoftupdate/</a></div></li><li>IT professionals:<br/><div class="indent"><a href="https://technet.microsoft.com/library/security/ms14-059" id="kb-link-3" target="_self">https://technet.microsoft.com/library/security/MS14-059</a></div></li></ul><h3 class="sbody-h3">Download information</h3><span>The following files are available for download from the Microsoft Download Center. <br/></span><h4 class="sbody-h4">For all supported versions of Microsoft ASP.NET</h4><span><img alt="Download " class="graphic" src="/library/images/support/kbgraphics/public/en-us/download.gif" title="Download "/><a href="http://www.microsoft.com/download/details.aspx?familyid=7d07b199-e7b6-4526-930c-cea52dc15b95" id="kb-link-4" target="_self">Download the package now.</a></span><br/><br/><span>Release Date: October 14, 2014<br/><br/>For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:<br/><div class="indent"><a href="https://support.microsoft.com/en-us/help/119591" id="kb-link-5">119591 </a> How to obtain Microsoft support files from online services</div>Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.<br/></span><h3 class="sbody-h3">How to obtain help and support for this security update</h3>Help installing updates:<br/><a href="https://support.microsoft.com/ph/6527" id="kb-link-6" target="_self">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals:<br/><a href="https://technet.microsoft.com/security/bb980617.aspx" id="kb-link-7" target="_self">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your Windows-based computer from viruses and malware:<br/><a href="https://support.microsoft.com/contactus/cu_sc_virsec_master" id="kb-link-8" target="_self">Virus Solution and Security Center</a><br/><br/>Local support according to your country:<br/><a href="https://support.microsoft.com/common/international.aspx" id="kb-link-9" target="_self">International Support</a><br/><br/></div><h2>More Information</h2><div class="kb-moreinformation-section section"><ul class="sbody-free_list"><li>For more information about deployment options to address this security vulnerability, see the <a href="https://technet.microsoft.com/library/security/ms14-059" id="kb-link-10" target="_self">MS14-059</a> security bulletin. This update will be offered through Microsoft Update, the Microsoft Download Center, and updated NuGet packages. The security bulletin will provide correct guidance about which deployment option is required to help make sure that your computer and applications are secure. </li><li>Also, see the "Update FAQ" section of <a href="https://technet.microsoft.com/library/security/ms14-059" id="kb-link-11" target="_self">MS14-059</a> to better understand how Microsoft security updates for .NET NuGet Libraries are supported, how to determine which version of ASP.NET Model-View-Controller (MVC) is installed on your computer, which computers are offered the update through Microsoft Update, and other important information.<br/></li></ul><h3 class="sbody-h3">Known issues with this security update</h3><ul class="sbody-free_list"><li><span class="text-base">Symptom</span><br/>After you install this security update, all Azure Pack PowerShell commands return the following exemption:<br/> <br/><br/><br/><br/><div class="sbody-error"> <br/>Method not found: 'Void Newtonsoft.Json.Serialization.DefaultContractResolver.set_IgnoreSerializableAttribute(Boolean)<br/></div><br/><span class="text-base">Resolution </span><br/>To resolve this issue, install Update Rollup 4 for Windows Azure Pack. For more information, click the following article number to view the article in the Microsoft Knowledge Base:<br/><br/><div class="indent"><a href="https://support.microsoft.com/en-us/help/2992027" id="kb-link-12">2992027 </a> Update Rollup 4 for Windows Azure Pack<br/></div></li></ul><a class="bookmark" id="appliestoproducts"></a><h3 class="sbody-h3">Applies to</h3>This article applies to the following:<br/><ul class="sbody-free_list"><li>ASP.NET MVC 4.0</li></ul></div><h2>FILE INFORMATION</h2><div class="kb-summary-section section">The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.<br/><div class="table-responsive"><table class="sbody-table table"><tr class="sbody-tr"><th class="sbody-th">File name</th><th class="sbody-th">File version</th><th class="sbody-th">File size</th><th class="sbody-th">Date</th><th class="sbody-th">Time</th></tr><tr class="sbody-tr"><td class="sbody-td">Eula.rtf</td><td class="sbody-td">Not applicable</td><td class="sbody-td">152,085</td><td class="sbody-td">18-Jul-2014</td><td class="sbody-td">21:38</td></tr><tr class="sbody-tr"><td class="sbody-td">Policy.4.0.system.web.mvc.dll</td><td class="sbody-td">4.0.0.0</td><td class="sbody-td">10,400</td><td class="sbody-td">19-Aug-2014</td><td class="sbody-td">00:28</td></tr><tr class="sbody-tr"><td class="sbody-td">System.net.http.dll</td><td class="sbody-td">1.0.0.0</td><td class="sbody-td">180,832</td><td class="sbody-td">10-Jul-2012</td><td class="sbody-td">19:07</td></tr><tr class="sbody-tr"><td class="sbody-td">System.net.http.formatting.dll</td><td class="sbody-td">4.0.21112.0</td><td class="sbody-td">168,520</td><td class="sbody-td">07-May-2013</td><td class="sbody-td">20:09</td></tr><tr class="sbody-tr"><td class="sbody-td">System.net.http.webrequest.dll</td><td class="sbody-td">1.0.0.0</td><td class="sbody-td">16,480</td><td class="sbody-td">10-Jul-2012</td><td class="sbody-td">19:07</td></tr><tr class="sbody-tr"><td class="sbody-td">System.web.http.dll</td><td class="sbody-td">4.0.20710.0</td><td class="sbody-td">323,168</td><td class="sbody-td">07-May-2013</td><td class="sbody-td">20:09</td></tr><tr class="sbody-tr"><td class="sbody-td">System.web.http.selfhost.dll</td><td class="sbody-td">4.0.20918.0</td><td class="sbody-td">105,584</td><td class="sbody-td">20-May-2013</td><td class="sbody-td">15:04</td></tr><tr class="sbody-tr"><td class="sbody-td">System.web.http.webhost.dll</td><td class="sbody-td">4.0.20710.0</td><td class="sbody-td">73,312</td><td class="sbody-td">07-May-2013</td><td class="sbody-td">20:09</td></tr><tr class="sbody-tr"><td class="sbody-td">System.web.mvc.dll.config</td><td class="sbody-td">Not applicable</td><td class="sbody-td">530</td><td class="sbody-td">19-Aug-2014</td><td class="sbody-td">00:27</td></tr><tr class="sbody-tr"><td class="sbody-td">System.web.mvc.dll</td><td class="sbody-td">4.0.40804.0</td><td class="sbody-td">505,504</td><td class="sbody-td">19-Aug-2014</td><td class="sbody-td">00:28</td></tr><tr class="sbody-tr"><td class="sbody-td">Thirdpartynotices.rtf</td><td class="sbody-td">Not applicable</td><td class="sbody-td">144,925</td><td class="sbody-td">18-Jul-2014</td><td class="sbody-td">21:38</td></tr></table></div></div></body></html>