Security and Quality Rollup for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows Server 2012 (KB4569773)

Security improvements

An elevation of privilege vulnerability exists when ASP.NET or .NET Framework web applications running on IIS improperly allow access to cached files. An attacker who successfully exploited this vulnerability could gain access to restricted files. To exploit this vulnerability, an attacker would need to send a specially crafted request to an affected server. The update addresses the vulnerability by changing how ASP.NET and .NET Framework handle requests.

To learn more about the vulnerabilities, go to the following Common Vulnerabilities and Exposures (CVE).

• CVE-2020-1476

Quality and reliability improvements

¹ Common Language Runtime (CLR)
² Windows Presentation Foundation (WPF)

Important

• All updates for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, and 4.7.2 require that the d3dcompiler_47.dll update is installed. We recommend that you install the included d3dcompiler_47.dll update before you apply this update. For more information about the d3dcompiler_47.dll, see KB 4019990.
• If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

Windows Presentation Framework (WPF) applications that use two or more HostVisual elements belonging to a common thread, where both HostVisual elements are asked to disconnect from their visual target at roughly the same time, mail fail with the following error:

Exception type:  System.COMException
Message:  UCEERR_RENDERTHREADFAILURE (HRESULT 0x88980406)
Callstack:  top frame is System.Windows.Media.Composition.DUCE+Channel.SyncFlush()

Workarounds

You can disable the problematic fix by setting the AppContext switch “Switch.System.Windows.Media.HostVisual.DisconnectsOnWrongThread” to true, using one of the methods described here.  This exposes your app to the original bug, so you should remove the switch once a fix is published through an upcoming update.

Workaround 1

•    Add the following entry to the app.config file to disable the problematic fix in a single application.

<runtime>
    <AppContextSwitchOverrides value="Switch.System.Windows.Media.HostVisual.DisconnectsOnWrongThread=true"/>
</runtime>

Note that if your application configuration already has an entry for <AppContextSwitchOverrides>, you need to add the new setting within that entry, separated from other switches by a semicolon:

   <AppContextSwitchOverrides value="Switch.SomeOtherSwitch=true; Switch.System.Windows.Media.HostVisual.DisconnectsOnWrongThread=true"/>

Workaround 2

•    Apply the following registry subkey to disable the problematic fix for all WPF applications on the machine.
 Warning
Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft can't guarantee that these problems can be solved. Modify the registry at your own risk.

Location: HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\AppContext\
Name: Switch.System.Media.HostVisual.DisconnectsOnWrongThread
Type: String
Value: true

Note that on 64-bit operating systems, you also need to apply a registry subkey with the same name, type, and value at the location:   HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\.NETFramework\AppContext\

Resolution

We are working on a resolution and will provide an update in an upcoming release.
 

• 4570507 Description of the Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Server 2012 (KB4570507)

Before installing this update

Prerequisite:

To apply this update, you must have .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 installed.

Install this update

Prerequisites

To apply this update, you must have .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 installed.

Restart requirement

You must restart the computer after you apply this update if any affected files are being used. We recommend that you exit all .NET Framework-based applications before you apply this update.

Update deployment information

For deployment details for this security update, go to the following article in the Microsoft Knowledge Base:

20200811 Security update deployment information: August 11, 2020

Update removal information

Note We do not recommend that you remove any security update. To remove this update, use the Programs and Features item in Control Panel.

Update restart information

This update does not require a system restart after you apply it unless files that are being updated are locked or are being used.

Update replacement information

This update replaces previously released updates 4566518.

• Protect yourself online: Windows Security support
• Learn how we guard against cyber threats: Microsoft Security