Microsoft Security Bulletin MS15-041 - Important
Vulnerability in .NET Framework Could Allow Information Disclosure (3048010)
Published: April 14, 2015 | Updated: May 12, 2015
Version: 2.0
Executive Summary
This security update resolves a vulnerability in Microsoft .NET Framework. The vulnerability could allow information disclosure if an attacker sends a specially crafted web request to an affected server that has custom error messages disabled. An attacker who successfully exploited the vulnerability would be able to view parts of a web configuration file, which could expose sensitive information.
This security update is rated Important for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, Microsoft .NET Framework 4.5, Microsoft .NET Framework 4.5.1, and Microsoft .NET Framework 4.5.2 on affected releases of Microsoft Windows. For more information, see the Affected Software section.
The security update addresses the vulnerability by removing file content details from the error messages that were facilitating the information disclosure. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability.
For more information about this update, see Microsoft Knowledge Base Article 3048010.
Affected Software
The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.
Operating System | Component | Maximum Security Impact | Aggregate Severity Rating | Updates Replaced |
---|---|---|---|---|
Windows Server 2003 | ||||
Windows Server 2003 Service Pack 2 | Microsoft .NET Framework 1.1 Service Pack 1 (3037572) | Information Disclosure | Important | 2901115 in MS14-009 |
Windows Server 2003 Service Pack 2 | Microsoft .NET Framework 2.0 Service Pack 2 (3037577) | Information Disclosure | Important | 2901111 in MS14-009 |
Windows Server 2003 Service Pack 2 | Microsoft .NET Framework 4[1](3037578) | Information Disclosure | Important | 2901110 in MS14-009 |
Windows Server 2003 x64 Edition Service Pack 2 | Microsoft .NET Framework 2.0 Service Pack 2 (3037577) | Information Disclosure | Important | 2901111 in MS14-009 |
Windows Server 2003 x64 Edition Service Pack 2 | Microsoft .NET Framework 4[1](3037578) | Information Disclosure | Important | 2901110 in MS14-009 |
Windows Server 2003 with SP2 for Itanium-based Systems | Microsoft .NET Framework 2.0 Service Pack 2 (3037577) | Information Disclosure | Important | 2901111 in MS14-009 |
Windows Server 2003 with SP2 for Itanium-based Systems | Microsoft .NET Framework 4[1](3037578) | Information Disclosure | Important | 2901110 in MS14-009 |
Windows Vista | ||||
Windows Vista Service Pack 2 | Microsoft .NET Framework 2.0 Service Pack 2 (3037573) | Information Disclosure | Important | 2901113 in MS14-009 |
Windows Vista Service Pack 2 | Microsoft .NET Framework 4[1](3037578) | Information Disclosure | Important | 2901110 in MS14-009 |
Windows Vista Service Pack 2 | Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037581) | Information Disclosure | Important | 2901126 in MS14-009 |
Windows Vista x64 Edition Service Pack 2 | Microsoft .NET Framework 2.0 Service Pack 2 (3037573) | Information Disclosure | Important | 2901113 in MS14-009 |
Windows Vista x64 Edition Service Pack 2 | Microsoft .NET Framework 4[1](3037578) | Information Disclosure | Important | 2901110 in MS14-009 |
Windows Vista x64 Edition Service Pack 2 | Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037581) | Information Disclosure | Important | 2901126 in MS14-009 |
Windows Server 2008 | ||||
Windows Server 2008 for 32-bit Systems Service Pack 2 | Microsoft .NET Framework 2.0 Service Pack 2 (3037573) | Information Disclosure | Important | 2901113 in MS14-009 |
Windows Server 2008 for 32-bit Systems Service Pack 2 | Microsoft .NET Framework 4[1](3037578) | Information Disclosure | Important | 2901110 in MS14-009 |
Windows Server 2008 for 32-bit Systems Service Pack 2 | Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037581) | Information Disclosure | Important | 2901126 in MS14-009 |
Windows Server 2008 for x64-based Systems Service Pack 2 | Microsoft .NET Framework 2.0 Service Pack 2 (3037573) | Information Disclosure | Important | 2901113 in MS14-009 |
Windows Server 2008 for x64-based Systems Service Pack 2 | Microsoft .NET Framework 4[1](3037578) | Information Disclosure | Important | 2901110 in MS14-009 |
Windows Server 2008 for x64-based Systems Service Pack 2 | Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037581) | Information Disclosure | Important | 2901126 in MS14-009 |
Windows Server 2008 for Itanium-based Systems Service Pack 2 | Microsoft .NET Framework 2.0 Service Pack 2 (3037573) | Information Disclosure | Important | 2901113 in MS14-009 |
Windows Server 2008 for Itanium-based Systems Service Pack 2 | Microsoft .NET Framework 4[1](3037578) | Information Disclosure | Important | 2901110 in MS14-009 |
Windows 7 | ||||
Windows 7 for 32-bit Systems Service Pack 1 | Microsoft .NET Framework 3.5.1 (3037574) | Information Disclosure | Important | 2901112 in MS14-009 |
Windows 7 for 32-bit Systems Service Pack 1 | Microsoft .NET Framework 4[1](3037578) | Information Disclosure | Important | 2901110 in MS14-009 |
Windows 7 for 32-bit Systems Service Pack 1 | Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037581) | Information Disclosure | Important | 2901126 in MS14-009 |
Windows 7 for x64-based Systems Service Pack 1 | Microsoft .NET Framework 3.5.1 (3037574) | Information Disclosure | Important | 2901112 in MS14-009 |
Windows 7 for x64-based Systems Service Pack 1 | Microsoft .NET Framework 4[1](3037578) | Information Disclosure | Important | 2901110 in MS14-009 |
Windows 7 for x64-based Systems Service Pack 1 | Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037581) | Information Disclosure | Important | 2901126 in MS14-009 |
Windows Server 2008 R2 | ||||
Windows Server 2008 R2 for x64-based Systems Service Pack 1 | Microsoft .NET Framework 3.5.1 (3037574) | Information Disclosure | Important | 2901112 in MS14-009 |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 | Microsoft .NET Framework 4[1](3037578) | Information Disclosure | Important | 2901110 in MS14-009 |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 | Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037581) | Information Disclosure | Important | 2901126 in MS14-009 |
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 | Microsoft .NET Framework 3.5.1 (3037574) | Information Disclosure | Important | 2901112 in MS14-009 |
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 | Microsoft .NET Framework 4[1](3037578) | Information Disclosure | Important | 2901110 in MS14-009 |
Windows 8 and Windows 8.1 | ||||
Windows 8 for 32-bit Systems | Microsoft .NET Framework 3.5 (3037575) | Information Disclosure | Important | 2901120 in MS14-009 |
Windows 8 for 32-bit Systems | Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037580) | Information Disclosure | Important | 2901119 and 2901127 in MS14-009 |
Windows 8 for x64-based Systems | Microsoft .NET Framework 3.5 (3037575) | Information Disclosure | Important | 2901120 in MS14-009 |
Windows 8 for x64-based Systems | Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037580) | Information Disclosure | Important | 2901119 and 2901127 in MS14-009 |
Windows 8.1 for 32-bit Systems | Microsoft .NET Framework 3.5 (3037576) | Information Disclosure | Important | 2901125 in MS14-009 |
Windows 8.1 for 32-bit Systems | Microsoft .NET Framework 4.5.1/4.5.2 (3037579) | Information Disclosure | Important | 2901128 in MS14-009 |
Windows 8.1 for x64-based Systems | Microsoft .NET Framework 3.5 (3037576) | Information Disclosure | Important | 2901125 in MS14-009 |
Windows 8.1 for x64-based Systems | Microsoft .NET Framework 4.5.1/4.5.2 (3037579) | Information Disclosure | Important | 2901128 in MS14-009 |
Windows Server 2012 and Windows Server 2012 R2 | ||||
Windows Server 2012 | Microsoft .NET Framework 3.5 (3037575) | Information Disclosure | Important | 2901120 in MS14-009 |
Windows Server 2012 | Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037580) | Information Disclosure | Important | 2901119 and 2901127 in MS14-009 |
Windows Server 2012 R2 | Microsoft .NET Framework 3.5 (3037576) | Information Disclosure | Important | 2901125 in MS14-009 |
Windows Server 2012 R2 | Microsoft .NET Framework 4.5.1/4.5.2 (3037579) | Information Disclosure | Important | 2901128 in MS14-009 |
Windows RT and Windows RT 8.1 | ||||
Windows RT | Microsoft .NET Framework 4.5/4.5.1/4.5.2[2](3037580) | Information Disclosure | Important | 2901119 and 2901127 in MS14-009 |
Windows RT 8.1 | Microsoft .NET Framework 4.5.1/4.5.2[2](3037579) | Information Disclosure | Important | 2901128 in MS14-009 |
Server Core installation option | ||||
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | Microsoft .NET Framework 3.5.1 (3037574) | Information Disclosure | Important | 2901112 in MS14-009 |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | Microsoft .NET Framework 4[1](3037578) | Information Disclosure | Important | 2901110 in MS14-009 |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037581) | Information Disclosure | Important | 2901126 in MS14-009 |
Windows Server 2012 (Server Core installation) | Microsoft .NET Framework 3.5 (3037575) | Information Disclosure | Important | 2901120 in MS14-009 |
Windows Server 2012 (Server Core installation) | Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037580) | Information Disclosure | Important | 2901119 and 2901127 in MS14-009 |
Windows Server 2012 R2 (Server Core installation) | Microsoft .NET Framework 3.5 (3037576) | Information Disclosure | Important | 2901125 in MS14-009 |
Windows Server 2012 R2 (Server Core installation) | Microsoft .NET Framework 4.5.1/4.5.2 (3037579) | Information Disclosure | Important | 2901128 in MS14-009 |
[1].NET Framework 4 and .NET Framework 4 Client Profile affected.
[2]This update is available via Windows Update only.
Update FAQ
How do I determine which version of Microsoft .NET Framework is installed?
You can install and run multiple versions of .NET Framework on a system, and you can install the versions in any order. For more information, see Microsoft Knowledge Base Article 318785.
What is the difference between .NET Framework 4 and .NET Framework 4 Client Profile?
The .NET Framework version 4 redistributable packages are available in two profiles: .NET Framework 4 and .NET Framework 4 Client Profile. The .NET Framework 4 Client Profile is a subset of the .NET Framework 4 profile that is optimized for client applications. It provides functionality for most client applications, including Windows Presentation Foundation (WPF), Windows Forms, Windows Communication Foundation (WCF), and ClickOnce features. This enables faster deployment and a smaller install package for applications that target the .NET Framework 4 Client Profile. For more information, see the MSDN article, .NET Framework Client Profile.
There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Affected Software table for the software?
Yes. Customers should apply all updates offered for the software installed on their systems.
Do I need to install these security updates in a particular sequence?
No. Multiple updates for a given system can be applied in any sequence.
Severity Ratings and Vulnerability Identifiers
The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the April bulletin summary.
Vulnerability Severity Rating and Maximum Security Impact by Affected Software | ||
---|---|---|
Affected Software | ASP.NET Information Disclosure Vulnerability - CVE-2015-1648 | Aggregate Severity Rating |
Microsoft .NET Framework 1.1 Service Pack 1 | ||
Microsoft .NET Framework 1.1 Service Pack 1 on Microsoft Windows Server 2003 Service Pack 2 (3037572) | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 2 | ||
Microsoft .NET Framework 2.0 Service Pack 2 when installed on Microsoft Windows Server 2003 Service Pack 2 (3037577) | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 2 when installed on Microsoft Windows Server 2003 x64 Edition Service Pack 2 (3037577) | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 2 when installed on Microsoft Windows Server 2003 for Itanium-based Systems Service Pack 2 (3037577) | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Vista Service Pack 2 (3037573) | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Vista x64 Edition Service Pack 2 (3037573) | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 (3037573) | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 (3037573) | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2 (3037573) | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 | ||
Microsoft .NET Framework 3.5 on Windows 8 for 32-bit Systems (3037575) | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 on Windows 8 for x64-based Systems (3037575) | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 on Windows Server 2012 (3037575) | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation) (3037575) | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 on Windows 8.1 for 32-bit Systems (3037576) | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 on Windows 8.1 for x64-based Systems (3037576) | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (3037576) | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation) (3037576) | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5.1 | ||
Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems Service Pack 1 (3037574) | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems Service Pack 1 (3037574) | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (3037574) | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (3037574) | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (3037574) | Important Information Disclosure | Important |
Microsoft .NET Framework 4 | ||
Microsoft .NET Framework 4 when installed on Windows Server 2003 Service Pack 2 (3037578)[1] | Important Information Disclosure | Important |
Microsoft .NET Framework 4 when installed on Windows Server 2003 x64 Edition Service Pack 2 (3037578)[1] | Important Information Disclosure | Important |
Microsoft .NET Framework 4 when installed on Windows Server 2003 with SP2 for Itanium-based Systems (3037578)[1] | Important Information Disclosure | Important |
Microsoft .NET Framework 4 on Windows Vista Service Pack 2 (3037578)[1] | Important Information Disclosure | Important |
Microsoft .NET Framework 4 on Windows Vista x64 Edition Service Pack 2 (3037578)[1] | Important Information Disclosure | Important |
Microsoft .NET Framework 4 when installed on Windows Server 2008 for 32-bit Systems Service Pack 2 (3037578)[1] | Important Information Disclosure | Important |
Microsoft .NET Framework 4 when installed on Windows Server 2008 for x64-based Systems Service Pack 2 (3037578)[1] | Important Information Disclosure | Important |
Microsoft .NET Framework 4 when installed on Windows Server 2008 for Itanium-based Systems Service Pack 2 (3037578)[1] | Important Information Disclosure | Important |
Microsoft .NET Framework 4 when installed on Windows 7 for 32-bit Systems Service Pack 1 (3037578)[1] | Important Information Disclosure | Important |
Microsoft .NET Framework 4 when installed on Windows 7 for x64-based Systems Service Pack 1 (3037578)[1] | Important Information Disclosure | Important |
Microsoft .NET Framework 4 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (3037578)[1] | Important Information Disclosure | Important |
Microsoft .NET Framework 4 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (3037578)[1] | Important Information Disclosure | Important |
Microsoft .NET Framework 4 when installed on Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (3037578)[1] | Important Information Disclosure | Important |
Microsoft .NET Framework 4.5/4.5.1/4.5.2 | ||
Microsoft .NET Framework 4.5/4.5.1/4.5.2 when installed on Windows Vista Service Pack 2 (3037581) | Important Information Disclosure | Important |
Microsoft .NET Framework 4.5/4.5.1/4.5.2 when installed on Windows Vista x64 Edition Service Pack 2 (3037581) | Important Information Disclosure | Important |
Microsoft .NET Framework 4.5/4.5.1/4.5.2 when installed on Windows Server 2008 for 32-bit Systems Service Pack 2 (3037581) | Important Information Disclosure | Important |
Microsoft .NET Framework 4/4.5.1/4.5.2 when installed on Windows Server 2008 for x64-based Systems Service Pack 2 (3037581) | Important Information Disclosure | Important |
Microsoft .NET Framework 4.5/4.5.1/4.5.2 when installed on Windows 7 for 32-bit Systems Service Pack 1 (3037581) | Important Information Disclosure | Important |
Microsoft .NET Framework 4.5/4.5.1/4.5.2 when installed on Windows 7 for x64-based Systems Service Pack 1 (3037581) | Important Information Disclosure | Important |
Microsoft .NET Framework 4.5/4.5.1/4.5.2 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (3037581) | Important Information Disclosure | Important |
Microsoft .NET Framework 4.5/4.5.1/4.5.2 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (3037581) | Important Information Disclosure | Important |
Microsoft .NET Framework 4.5/4.5.1/4.5.2 on Windows 8 for 32-bit Systems (3037580) | Important Information Disclosure | Important |
Microsoft .NET Framework 4.5.1/4.5.2 on Windows 8.1 for 32-bit Systems (3037579) | Important Information Disclosure | Important |
Microsoft .NET Framework 4.5/4.5.1/4.5.2 on Windows 8 for x64-based Systems (3037580) | Important Information Disclosure | Important |
Microsoft .NET Framework 4.5.1/4.5.2 on Windows 8.1 for x64-based Systems (3037579) | Important Information Disclosure | Important |
Microsoft .NET Framework 4.5/4.5.1/4.5.2 on Windows Server 2012 (3037580) | Important Information Disclosure | Important |
Microsoft .NET Framework 4.5/4.5.1/4.5.2 on Windows Server 2012 (Server Core installation) (3037580) | Important Information Disclosure | Important |
Microsoft .NET Framework 4.5.1/4.5.2 on Windows Server 2012 R2 (3037579) | Important Information Disclosure | Important |
Microsoft .NET Framework 4.5.1/4.5.2 on Windows Server 2012 R2 (Server Core installation) (3037579) | Important Information Disclosure | Important |
Microsoft .NET Framework 4.5/4.5.1/4.5.2 on Windows RT (3037580) | Important Information Disclosure | Important |
Microsoft .NET Framework 4.5.1/4.5.2 on Windows RT 8.1 (3037579) | Important Information Disclosure | Important |
[1].NET Framework 4 and .NET Framework 4 Client Profile affected.
Vulnerability Information
ASP.NET Information Disclosure Vulnerability - CVE-2015-1648
An information disclosure vulnerability exists in ASP.NET that is caused when ASP.NET improperly handles certain requests on systems that have custom error messages disabled. An attacker who successfully exploited the vulnerability would be able to view parts of a web configuration file, which could expose sensitive information.
To exploit this vulnerability, an attacker could a send a specially crafted web request to an affected server with the intention of eliciting an error message that could disclose information pertaining to the source line that originated the exception. Ultimately, this could disclose information that was not intended to be accessible. The security update addresses the vulnerability by removing file content details from the error messages that were facilitating the information disclosure.
By default, ASP.NET applications are not exposed to this vulnerability because they are configured to not display detailed error messages to remote users. Sometimes developers turn on detailed error messages to gather information and then fail to turn them off, which would then expose the application to this vulnerability.
The default setting in web.config is as follows:
<customerrors mode="remoteOnly">
In a production environment, best practice would see this entry changed to the following:
</customerrors><customerrors mode="On" defaultredirect="ErrorPage.htm">
As a general rule, in production environments developers should never use the following:
</customerrors><customerrors mode="off">
Note that error messages are customizable based on the error code. For more information, see customErrors Element (ASP.NET Settings Schema).
As an added protection against accidental disabling of custom errors, machine administrations can turn on retail mode. See the related workaround in this bulletin for more information.
Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.
Mitigating Factors
The following mitigating factors may be helpful in your situation:
- Only IIS servers that serve verbose error messages are affected; production servers are unlikely to be affected.
Workarounds
The following workarounds may be helpful in your situation:
Configure .NET in retail mode on all web servers
In the machine.config files of all web servers, add the setting "<deployment retail="true" />" to the "system.web" section of the "configuration" section.
On 32-bit systems, machine.config is found at %windir%\Microsoft.NET\Framework\[version]\config\machine.config.
On 64-bit systems, machine.config is found at %windir%\Microsoft.NET\Framework64\[version]\config\machine.config.
For more information on this setting, see deployment Element (ASP.NET Settings Schema).
Impact of workaround. All ASP.NET detailed error messages from all websites on each server will be suppressed.
How to undo the workaround.
To undo the workaround, remove the setting that was added by way of this procedure.
Enable custom errors for all websites
In the web.config files for all websites, ensure that the "customErrors" setting (in the "system.web" section of the "configuration" section") is not set to “off”. Safe values are "on", "remoteonly", or no setting at all.
For more information on the customErrors setting, see customErrors Element (ASP.NET Settings Schema).
Impact of workaround. All ASP.NET detailed error messages from all websites will be suppressed.
How to undo the workaround.
To undo the workaround, revert the settings that were established by way of this procedure.
Security Update Deployment
For Security Update Deployment information see the Microsoft Knowledge Base article referenced in the Executive Summary.
Acknowledgments
Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.
Disclaimer
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
- V1.0 (April 14, 2015): Bulletin published.
- V2.0 (May 12, 2015): Bulletin re-released to address issues with the 3037580 update for Microsoft .NET Framework 4.5/4.5.1/4.5.2 on affected editions of Microsoft Windows. Customers running these versions of .NET Framework are encouraged to install the new version of the 3037580 update to be protected from the vulnerability discussed in this bulletin. See Microsoft Knowledge Base Article 3037580 for more information.
Page generated 2015-05-06 13:24Z-07:00.