Code under .Net framework 4.6.1 but deployed to Runtime 4.8 still secure?

RinoaHeartilly 0 Reputation points
2023-03-20T23:57:44.55+00:00

Our applications are developed and compiled under .net framework 4.6.1.

Our servers hosting the applications are running Runtime 4.8

We are aware that framework version 4.6.1 has reached its end-of-life. Couple of articles have stated that as long as runtime is set to 4.6.2 and higher it should still be supported. Does having runtime 4.8 enough to guard us from security risks and vulnerability?

Will it be possible that there might be a new security risk/issue targeting code compiled under framework 4.6.1 and will make our system vulnerable even if the servers are running 4.8 runtime?

.NET Runtime
.NET Runtime
.NET: Microsoft Technologies based on the .NET software framework.Runtime: An environment required to run apps that aren't compiled to machine language.
1,117 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jiachen Li-MSFT 26,426 Reputation points Microsoft Vendor
    2023-03-21T01:31:37.9266667+00:00

    Hi, welcome to Microsoft Q&A.

    Beginning with version 4.5.2 and later, .NET Framework is defined as a component of the Windows operating system (OS). Components receive the same support as their parent products, therefore, .NET Framework 4.5.2 and later follows the lifecycle policy of the underlying Windows OS on which it is installed.

    Support for .NET Framework versions 4.5.2, 4.6, and 4.6.1 ended on April 26, 2022, so security fixes, updates, and technical support for these versions will no longer be provided. Update your deployed runtime to a more recent version, such as .NET Framework 4.6.2 in order to continue to receive updates and technical support.

    So as long as the operating system is still supported, the .NET Framework runtime keeps the latest security updates.

    Best Regards. 

    Jiachen Li 

    ---------- 

    If the answer is helpful, please click "Accept Answer" and upvote it. 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.   

    0 comments
  2. Lex Li (Microsoft) 4,662 Reputation points Microsoft Employee
    2023-04-02T04:22:47.7633333+00:00

    So, for your specific case you need to understand two concepts,

    • Compile-time framework version. You compile the code base against .NET Framework 4.6.1 API surface, so your code cannot consume new classes/methods in newer .NET Framework versions.
    • Runtime framework version. You deploy the app onto .NET Framework 4.8, so that the actual code execution is using the supported binaries from the newer .NET Framework version and security patches are there via Windows Update.

    Like this other answer indicated, the runtime framework version ensures that your app is in general secure.

    However, there are specific cases you need to be aware of that many of the new APIs are also security related. For example, Tls13 in SecurityProtocolType is exclusive for .NET Framework 4.8 and above.

    You still need to review the code base thoroughly and see if any of the new APIs can be utilized to put security risks under control.

    0 comments