MS07-040: Vulnerabilities in the .NET Framework could allow remote code execution

<html><body><p>Resolves three privately reported vulnerabilities. Two of these vulnerabilities could allow remote code execution on client systems that have the .NET Framework installed. One could allow information disclosure on Web servers that are running ASP.NET.</p><h2>INTRODUCTION</h2><div>Microsoft has released security bulletin MS07-040. This security bulletin contains all the relevant information about the corresponding security update. This information includes file manifest information and deployment options. To view the complete security bulletin, visit one of the following Microsoft Web sites:<br /><br /><ul><li>Home users:<div><a href=“http://www.microsoft.com/protect/computer/updates/bulletins/200707.mspx” target=“_self”>http://www.microsoft.com/protect/computer/updates/bulletins/200707.mspx</a></div><span>Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update Web site now:<br /><div><a href=“http://update.microsoft.com/microsoftupdate/” target=“_self”>http://update.microsoft.com/microsoftupdate/</a></div></li><li>IT professionals:<div><a href=“http://www.microsoft.com/technet/security/bulletin/ms07-040.mspx” target=“_self”>http://www.microsoft.com/technet/security/bulletin/MS07-040.mspx</a></div></li></ul></div><h2>More Information</h2><div><h3>Known issues with this security update</h3>The following table lists the known issues with this security update. Help installing updates: <br /><a href=“https://support.microsoft.com/ph/6527” target=“_self”>Support for Microsoft Update</a><br /><br />Security solutions for IT professionals: <br /><a href=“http://technet.microsoft.com/security/bb980617.aspx” target=“_self”>TechNet Security Troubleshooting and Support</a><br /><br />Help protect your computer that is running Windows from viruses and malware:<br /><a href=“https://support.microsoft.com/contactus/cu_sc_virsec_master” target=“_self”>Virus Solution and Security Center</a><br /><br />Local support according to your country: <br /><a href=“https://support.microsoft.com/common/international.aspx” target=“_self”>International Support</a><br /><br /><br /><br />To use the table, look in the top two rows of the table. Locate the column of the appropriate Microsoft Knowledge Base article number for the update that corresponds to the .NET Framework version that you are using. The rows that contain an “X” correspond to a Knowledge Base article that describes a known issue for the .NET Framework version that you are using. Click the article numbers in the left column to view the article. <div><table><tr><th></th><th>KB930494<br />.NET Framework 1.0 SP3</th><th>KB928367<br />.NET Framework 1.0 SP3</th><th>KB928366<br />.NET Framework 1.1 SP1</th><th>KB933854<br />.NET Framework 1.1 SP1</th><th>KB929729<br />.NET Framework 1.1 SP1</th><th>KB928365<br />.NET Framework 2.0</th><th>KB929916<br />.NET Framework 2.0</th></tr><tr><th> Microsoft Knowledge Base article </th><th> MCE and Tablet PC </th><th> Vista/Windows Server 2003/Windows 2000/Windows XP </th><th> Windows 2000/Windows XP/Windows Server 2003 x64 and IA-64 </th><th> Windows Server 2003 x86 </th><th> Vista </th><th>Windows Server 2003/Windows XP/Windows 2000 </th><th> Vista </th></tr><tr><td><a href=“https://support.microsoft.com/en-us/help/923100”>923100 </a></td><td></td><td>X</td><td>X</td><td></td><td>X</td><td>X</td><td>X</td></tr><tr><td><a href=“https://support.microsoft.com/en-us/help/923101”>923101 </a></td><td></td><td></td><td></td><td></td><td></td><td>X</td><td>X</td></tr><tr><td><a href=“https://support.microsoft.com/en-us/help/931846”>931846 </a></td><td></td><td></td><td></td><td></td><td></td><td>X</td><td>X</td></tr><tr><td><a href=“https://support.microsoft.com/en-us/help/934229”>934229 </a></td><td></td><td></td><td></td><td>X</td><td></td><td>X</td><td></td></tr><tr><td><a href=“https://support.microsoft.com/en-us/help/934711”>934711 </a></td><td></td><td></td><td>X</td><td>X</td><td>X</td><td>X</td><td>X</td></tr><tr><td><a href=“https://support.microsoft.com/en-us/help/934712”>934712 </a></td><td></td><td>X</td><td></td><td></td><td>X</td><td></td><td></td></tr><tr><td><a href=“https://support.microsoft.com/en-us/help/934793”>934793 </a></td><td></td><td></td><td></td><td></td><td></td><td>X</td><td>X</td></tr><tr><td><a href=“https://support.microsoft.com/en-us/help/936597”>936597 </a></td><td>X</td><td>X</td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><a href=“https://support.microsoft.com/en-us/help/939160”>939160 </a></td><td></td><td>X</td><td>X</td><td></td><td>X</td><td></td><td></td></tr><tr><td><a href=“https://support.microsoft.com/en-us/help/939949”>939949 </a></td><td></td><td></td><td></td><td></td><td></td><td>X</td><td></td></tr><tr><td><a href=“https://support.microsoft.com/en-us/help/940332”>940332 </a></td><td></td><td>X</td><td>X</td><td></td><td>X</td><td></td><td></td></tr><tr><td><a href=“https://support.microsoft.com/en-us/help/940521”>940521 </a></td><td></td><td></td><td></td><td></td><td></td><td>X</td><td></td></tr><tr><td><a href=“https://support.microsoft.com/en-us/help/940947”>940947 </a></td><td></td><td></td><td></td><td></td><td></td><td>X</td><td></td></tr><tr><td><a href=“https://support.microsoft.com/en-us/help/941386”>941386 </a></td><td></td><td></td><td></td><td></td><td></td><td>X</td><td>X</td></tr><tr><td><a href=“https://support.microsoft.com/en-us/help/941789”>941789 </a></td><td></td><td></td><td></td><td></td><td></td><td>X</td><td></td></tr><tr><td><a href=“https://support.microsoft.com/en-us/help/942086”>942086 </a></td><td></td><td></td><td></td><td></td><td></td><td>X</td><td>X</td></tr><tr><td><a href=“https://support.microsoft.com/en-us/help/943804”>943804 </a></td><td></td><td></td><td></td><td></td><td></td><td>X</td><td></td></tr><tr><td><a href=“https://support.microsoft.com/en-us/help/944746”>944746 </a></td><td>X</td><td>X</td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><a href=“https://support.microsoft.com/en-us/help/944925”>944925 </a></td><td></td><td></td><td>X</td><td></td><td></td><td></td><td></td></tr></table></div><h4>Microsoft Knowledge Base articles that describe the known issues with this security update</h4><span>For more information about the known issues that are referenced in this table, click the following article numbers to view the articles in the Microsoft Knowledge Base:<div><a href=“https://support.microsoft.com/en-us/help/923100”>923100 </a> When you try to install an update for the .NET Framework 1.0, 1.1, or 2.0, you may receive Windows Update error code “0x643” or Windows Installer error code “1603”</div></span><span><div><a href=“https://support.microsoft.com/en-us/help/923101”>923101 </a> Error message when you try to install a security update for the .NET Framework 2.0 on a computer that is running Windows Server 2003 x64 Edition: “Error 1324. The folder ‘Program Files’ contains an invalid character” </div></span><span><div><a href=“https://support.microsoft.com/en-us/help/931846”>931846 </a> You may be unable to execute SQL Server 2005 Integration Services packages that contain script tasks or script components </div></span><span><div><a href=“https://support.microsoft.com/en-us/help/934229”>934229 </a> The “Add Link to Site” page stops responding, and the link is not added when you try to add a new link to the Site Directory in a SharePoint Portal Server 2003 site</div></span><span><div><a href=“https://support.microsoft.com/en-us/help/934711”>934711 </a> Error message when you restart the computer after you uninstall a security update for the .NET Framework 1.1: “This application has requested the Runtime to terminate in an unusual way” </div></span><span><div><a href=“https://support.microsoft.com/en-us/help/934712”>934712 </a> Warning message when you try to install a .NET Framework 1.0 Service Pack 3 or .NET Framework 1.1 Service Pack 1 security update on a Windows Vista-based computer: “An unidentified program wants to access your computer”</div></span><span><div><a href=“https://support.microsoft.com/en-us/help/934793”>934793 </a> Description of the SharePoint Server 2007 hotfix package: April 12, 2007 </div></span><span><div><a href=“https://support.microsoft.com/en-us/help/936597”>936597 </a> The application or control does not run when you try to run .NET Framework 1.0 HREF tags to point to a managed executable application or to a control </div></span><span><div><a href=“https://support.microsoft.com/en-us/help/939160”>939160 </a>The file version is rolled back to the version that was installed by the last service pack when you remove some security updates for the .NET Framework 1.1 or for the .NET Framework 1.0 </div></span><span><div><a href=“https://support.microsoft.com/en-us/help/939949”>939949 </a> Error message when you run an application or try to access a Web site on a computer that has a particular .NET Framework 2.0 software update installed: “Culture name ‘Culture’ is not supported” </div></span><span><div><a href=“https://support.microsoft.com/en-us/help/940332”>940332 </a> Error message when you install an update for the .NET Framework 1.1 or for the .NET Framework 1.0: “The upgrade patch cannot be installed by the Windows Installer service”</div></span><span><div><a href=“https://support.microsoft.com/en-us/help/940521”>940521 </a> The behavior of the UTF8Encoding class, the UnicodeEncoding class, and the UTF32Encoding class changes after you install the security update for the .NET Framework 2.0 that is described in security bulletin MS07-040</div></span><span><div><a href=“https://support.microsoft.com/en-us/help/940947”>940947 </a> Error message after you install security update 931212 (MS07-040) in Windows 2000 with Service Pack 4: “Error 127: the specified procedure could not be found”</div></span><span><div><a href=“https://support.microsoft.com/en-us/help/941386”>941386 </a> FIX: Error message when you run an ASP.NET 2.0 Web application that is built on the .NET Framework 2.0 after you install the MS07-040 security update: “Type ‘System.Web.HttpHeaderCollection’ is not marked as serializable”</div></span><span><div><a href=“https://support.microsoft.com/en-us/help/941789”>941789 </a> You receive error messages after you install security update 931212 (MS07-040) on a Windows SharePoint Services 3.0 Web front-end server or on a SharePoint Server 2007 Web front-end server</div></span><span><div><a href=“https://support.microsoft.com/en-us/help/942086”>942086 </a> FIX: Error message when you run an ASP.NET 2.0 Web application that is built on the .NET Framework 2.0: “The constructor to deserialize an object of type ‘<custom object>’ was not found”</div></span><span><div><a href=“https://support.microsoft.com/en-us/help/943804”>943804 </a> FIX: Certain Unicode characters returned by the Application.ExecutablePath property in the .NET Framework 2.0 are displayed as “?”</div></span><span><div><a href=“https://support.microsoft.com/en-us/help/944746”>944746 </a>FIX: Event ID: 1008 occurs after you apply security update MS07-040 on a computer that has the .NET Framework 1.0 installed<br /></div></span><span><div><a href=“https://support.microsoft.com/en-us/help/944925”>944925 </a>FIX: You may receive an exception error message when you serialize an ObjRef object between the client computer and the server computer after you install the MS07-040 update on only the client computer<br /></div></span><h3>Microsoft Knowledge Base articles that describe the individual packages for this security update</h3><span>For more information about the individual packages for this security update, click the following article numbers to view the articles in the Microsoft Knowledge Base:<br /><br /><div><a href=“https://support.microsoft.com/en-us/help/930494”>930494 </a>Description of the security update for the .NET Framework 1.0 Service Pack 3 for Windows XP Media Center and Windows XP Tablet PC: July 10, 2007<br /><br /></div></span><span><div><a href=“https://support.microsoft.com/en-us/help/928367”>928367 </a> Description of the security update for the .NET Framework 1.0 Service Pack 3 for Windows Vista, Windows Server 2003, Windows XP, and Windows 2000: July 10, 2007<br /><br /></div></span><span><div><a href=“https://support.microsoft.com/en-us/help/928366”>928366 </a> Description of the security update for the .NET Framework 1.1 Service Pack 1 for Windows XP and Windows 2000: July 10, 2007<br /><br /></div></span><span><div><a href=“https://support.microsoft.com/en-us/help/933854”>933854 </a> Description of the security update for the .NET Framework 1.1 Service Pack 1 for Windows Server 2003: July 10, 2007<br /><br /></div></span><span><div><a href=“https://support.microsoft.com/en-us/help/929729”>929729 </a> Description of the security update for the .NET Framework 1.1 Service Pack 1 for Windows Vista: July 10, 2007<br /><br /></div></span><span><div><a href=“https://support.microsoft.com/en-us/help/928365”>928365 </a> Description of the security update for the .NET Framework 2.0 for Windows Server 2003, Windows XP, and Windows 2000: July 10, 2007<br /><br /></div></span><span><div><a href=“https://support.microsoft.com/en-us/help/929916”>929916 </a> Description of the security update for the .NET Framework 2.0 for Windows Vista: July 10, 2007<br /><br /></div></span><h3>Additional information about this security update</h3> After you install this security update, the behavior of UTF8Encoding, UnicodeEncoding, and UTF32Encoding change to comply to the Unicode 5.0 requirements for Unicode encodings. Unauthorized and invalid bytes are not removed. Instead, they are replaced by the Unicode character U+FFFD, the Unicode replacement character. <br /><br /><span>For more information about this behavior, click the following article number to view the article in the Microsoft Knowledge Base:<br /><br /><div><a href=“https://support.microsoft.com/en-us/help/940521”>940521 </a>The behavior of the UTF8Encoding class, the UnicodeEncoding class, and the UTF32Encoding class changes after you install the security update for the .NET Framework 2.0 that is described in security bulletin MS07-040<br /><br /></div></span><h3>Affected software</h3>This article applies to the following versions of the Microsoft .NET Framework when used with the corresponding Microsoft operating systems:<br /><br /><ul><li>The .NET Framework 1.0 Service Pack 3 when used with:<br /><br /><ul><li>Windows 2000 Service Pack 4</li><li>Windows XP Service Pack 2</li><li>Windows XP Service Pack 3</li><li>Windows XP Professional x64 Edition</li><li>Windows XP Professional x64 Edition Service Pack 2</li><li>Windows XP Tablet PC Edition 2005</li><li>Windows XP Media Center Edition 2005</li><li>Windows Server 2003 Service Pack 1</li><li>Windows Server 2003 Service Pack 2</li><li>Windows Server 2003 for Itanium-based Systems when used with:<br /><br /><ul><li>Windows Server 2003 Service Pack 1</li><li>Windows Server 2003 Service Pack 2</li></ul></li><li>Windows Server 2003 x64 Edition</li><li>Windows Server 2003 x64 Edition Service Pack 2</li><li>Windows Vista</li><li>Windows Vista Service Pack 1</li><li>Windows Server 2008</li></ul></li><li>The .NET Framework 1.1 Service Pack 1 when used with:<br /><br /><ul><li>Windows 2000 Service Pack 4</li><li>Windows XP Service Pack 2</li><li>Windows XP Service Pack 3</li><li>Windows XP Professional x64 Edition</li><li>Windows XP Professional x64 Edition Service Pack 2</li><li>Windows Server 2003 Service Pack 1</li><li>Windows Server 2003 Service Pack 2</li><li>Windows Server 2003 for Itanium-based Systems when used with:<br /><br /><ul><li>Windows Server 2003 Service Pack 1</li><li>Windows Server 2003 Service Pack 2</li></ul></li><li>Windows Server 2003 x64 Edition</li><li>Windows Server 2003 x64 Edition Service Pack 2</li><li>Windows Vista</li><li>Windows Vista Service Pack 1</li><li>Windows Vista x64 Edition</li><li>Windows Vista x64 Edition Service Pack 1</li><li>Windows Server 2008</li><li>Windows Server 2008 x64 Edition </li><li>Windows Server 2008 for Itanium-based Systems</li></ul></li><li>The .NET Framework 2.0 when used with:<br /><br /><ul><li>Windows 2000 Service Pack 4</li><li>Windows XP Service Pack 2</li><li>Windows XP Service Pack 3</li><li>Windows XP Professional x64 Edition</li><li>Windows XP Professional x64 Edition Service Pack 2</li><li>Windows Server 2003 Service Pack 1</li><li>Windows Server 2003 Service Pack 2</li><li>Windows Server 2003 for Itanium-based Systems when used with:<br /><br /><ul><li>Windows Server 2003 Service Pack 1</li><li>Windows Server 2003 Service Pack 2</li></ul></li><li>Windows Server 2003 x64 Edition</li><li>Windows Server 2003 x64 Edition Service Pack 2</li><li>Windows Vista</li><li>Windows Vista x64 Edition</li></ul></li></ul></div></body></html>