This update has been released as part of the January 2018 Security and Quality Rollup for .NET Framework 2.0 SP2, 3.0 SP2, 4.5.2, and 4.6 for Windows Server 2008 SP2.
If you have not been offered this security update, you may be running incompatible antivirus software, and you should contact the software vendor. We are working closely with antivirus software partners to make sure that all customers receive the January Windows security updates as soon as possible. For more information, go to <https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software>. Also, see the βAdditional information about this security updateβ section in this article.
This security update resolves a security feature bypass vulnerability that exists when Microsoft .NET Framework and .NET Core components do not completely validate certificates. This security update addresses the vulnerability by helping to make sure that .NET Framework and .NET Core components completely validate certificates. To learn more about this vulnerability, see Microsoft Common Vulnerabilities and Exposures CVE-2018-0786.Additionally, this security update resolves a denial of service vulnerability that exists when .NET Framework and .NET Core components process XML documents incorrectly. This update addresses the vulnerability by correcting how .NET Framework and .NET Core component applications handle XML document processing. To learn more about this vulnerability, see Microsoft Common Vulnerabilities and Exposures CVE-2018-0764.Important
If certificates are used for authentication, the authenticator examines the certificate that is provided by the remote endpoint and looks for the correct purpose object identifier in Application Policies extensions. If a certificate is used for client authentication, the object identifier for Client Authentication must be present in the EKU extensions of the certificate. Otherwise, authentication fails. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2. Likewise, when a certificate is used for server authentication, the object identifier for Server Authentication must be present in the EKU extensions of the certificate, or authentication fails. The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1. Certificates that have no EKU extension continue to authenticate correctly.
Consider making changes to your componentβs certificates to make sure that they are using the correct EKU OID attributes and are secured correctly. If you temporarily cannot access correctly reissued certificates, you can choose to opt in or out of the security change to avoid any connectivity effects. To do this, specify the following appsettings value change in the configuration file: <appSettings> <add key=βwcf:useLegacyCertificateUsagePolicyβ value=βtrueβ /> </appSettings>
Note Setting the value to βtrueβ opts out of the security changes.
The following articles contain more information about this security update as it relates to individual product versions. The articles may contain known issue information.
Windows 10, Windows 8.1, Windows Server 2012 R2, and Windows Server 2016 customersWe recommend that all customers protect their devices by running compatible and supported antivirus software. Customers can take advantage of built-in antivirus protection, Windows Defender Antivirus for Windows 8.1 and Windows 10 devices, or a compatible third-party antivirus application. The antivirus software must set a registry key as described in the βSetting the registry keyβ section in this article to receive the January 2018 security updates.
Windows 7 SP1 and Windows Server 2008 R2 SP1 customersIn a default installation of Windows 7 SP1 or Windows Server 2008 R2 SP1, customers do not have an antivirus application installed. In these situations, we recommend installing a compatible and supported antivirus application such as Microsoft Security Essentials or a third-party antivirus application. The antivirus software must set a registry key as described in the βSetting the registry keyβ section for you to receive the January 2018 security updates.
Customers without antivirusIf you cannot install or run antivirus software, we recommend that you manually set the registry key as described in the βSetting the registry keyβ section to receive the January 2018 security updates.
Setting the registry key****Caution Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, see the βChanging keys and valuesβ help topic in Registry Editor or see the βAdd and delete information in the registryβ and βEdit registry dataβ help topics in Regedt32.exe.Important You will not receive the January 2018 security updates or any later security updates and you will not be protected from security vulnerabilities unless your antivirus software sets the following registry key:Key=βHKEY_LOCAL_MACHINEβ Subkey=βSOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompatβ Value=βcadca5fe-87d3-4b96-b7fb-a231484277ccβ Type="REG_DWORDβ
Data="0x00000000β