MS13-007: Vulnerability in Open Data Protocol could allow denial of service: January 8, 2013

Article ID: 2769327

View products that this article applies to.

Applies to

Collapse this imageExpand this image
This article applies to the following:
  • Microsoft .NET Framework 4 when used with:
    • Windows 7
    • Windows 7 Service Pack 1
    • Windows Server 2008 R2
    • Windows Server 2008 R2 Service Pack 1
    • Windows Vista Service Pack 2
    • Windows Server 2008 Service Pack 2
    • Microsoft Windows XP Service Pack 3
    • Microsoft Windows Server 2003 Service Pack 2
  • Microsoft .NET Framework 3.5.1 when used with:
    • Windows 7
    • Windows 7 Service Pack 1
    • Windows Server 2008 R2
    • Windows Server 2008 R2 Service Pack 1
  • Microsoft .NET Framework 3.5 Service Pack 1 when used with:
    • Windows Vista Service Pack 2
    • Windows Server 2008 Service Pack 2
    • Microsoft Windows XP Service Pack 3
    • Microsoft Windows Server 2003 Service Pack 2
  • Microsoft .NET Framework 3.5 when used with:
    • Windows 8
    • Windows RT
    • Windows Server 2012
Collapse this imageExpand this image
Expand all | Collapse all

On This Page

Introduction

Microsoft has released the security bulletin MS13-007. You can view the complete security bulletin by going to one of the following Microsoft websites:
Back to the top | Give Feedback

How to obtain help and support for this security update

Help installing updates: Support for Microsoft Update
(http://support.microsoft.com/ph/6527)


Security solutions for IT professionals: TechNet Security Troubleshooting and Support
(http://technet.microsoft.com/security/bb980617.aspx)


Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
(http://support.microsoft.com/contactus/cu_sc_virsec_master)


Local support according to your country: International Support
(http://support.microsoft.com/common/international.aspx)
Back to the top | Give Feedback

More information

Known issues and additional information about this update

The default Replace canonical function could allow for a denial of service attack. Therefore, this security update disables the Replace canonical function. We recommend that you leave this functionality disabled unless other mitigations are used. For example, using authenticated access to the service or using a provider that is not vulnerable to nested Replace as an attack vector may reduce the risk of a denial of service attack. If you use other mitigations, you can restore Replace functionality by setting enable="true" in a configuration file, as shown in the following XML code example. It can also be restored in service code by setting the enable property to true in the DataServicesReplaceFunctionFeature
(http://msdn.microsoft.com/en-us/library/system.data.services.configuration.dataservicesreplacefunctionfeature.aspx)
class. 
<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <configSections>
    <sectionGroup name="wcfDataServices" type="System.Data.Services.Configuration.DataServicesSectionGroup">
      <section name="features" type="System.Data.Services.Configuration.DataServicesFeaturesSection" />
    </sectionGroup>
 </configSections>  
  <wcfDataServices>
    <features>
      <replaceFunction enable="true" />
    </features>
  </wcfDataServices>
</configuration>


The following articles contain additional information about this update as it relates to individual product versions. The articles may contain information that is specific to the individual updates such as download URL, prerequisites, and command-line switches.


Microsoft .NET Framework 4
  • 2736428
    (http://support.microsoft.com/kb/2736428/ )
     MS13-007: Description of the security update for the .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: January 8, 2013

Microsoft .NET Framework 3.5.1
  • 2736422
    (http://support.microsoft.com/kb/2736422/ )
    MS13-007: Description of the security update for the .NET Framework 3.5.1 on Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: January 8, 2013
  • 2736418
    (http://support.microsoft.com/kb/2736418/ )
    MS13-007: Description of the security update for the .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2: January 8, 2013

Microsoft .NET Framework 3.5
  • 2736693
    (http://support.microsoft.com/kb/2736693/ )
    MS13-007: Description of the security update for the .NET Framework 3.5 on Windows 8, Windows RT, and Windows Server 2012: January 8, 2013
Microsoft .NET Framework 3.5 Service Pack 1
  • 2736416
    (http://support.microsoft.com/kb/2736416/ )
     MS13-007: Description of the security update for the .NET Framework 3.5 Service Pack 1 on Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008: January 8, 2013
Microsoft Management OData IIS Extension
  • 2753596
    (http://support.microsoft.com/kb/2753596/ )
    MS13-007: Description of the security update for the Management OData IIS Extension on Windows Server 2012: January 8, 2013

File hash information

Collapse this imageExpand this image
Collapse this tableExpand this table
File nameSHA1 hashSHA256 hash
NDP35SP1-KB2736416-IA64.exeCF3BEE8AFC2555D381800B628A3DCC01EC4E685C24CC439999EBB612F37D30127D81B9D625B1EE3C7080970D44BF38DF05755F2C
NDP35SP1-KB2736416-x64.exeD1D9B33957BBA14E31988DFDAF4F5D3B13F3794319C4E28FB8A57201F21A73E3CA36749E6ACC89D736E58DD0110745C243C710CF
NDP35SP1-KB2736416-x86.exe93368F49226C00B8DDB32723196DDFBB275C87657CB7576F5512EEFA0D86C3E0B2F957199A7B8EF87C3CBACAEF03F7E5640DEB9F
NDP40-KB2736428-IA64.exe4012210984C452D0274CB36BBDAD97A320166EFA40B51ED358CAC83E02D9DB202DD3F4844BC8719DC8E4A4101AF3406CA328FB92
NDP40-KB2736428-x64.exeF5F126738673AE9764D03FE42FEEEA68F1EDECE2C42871B7CF1EFA48743357FCBE24341B55D3819D394DC262AD483DD75DC9D705
NDP40-KB2736428-x86.exe69A15697F7C9C976B933BD46869C895E9A1B03564C250204646ED8CF3BC2F24C4FD9177D0F41F8AD43504F497E4AAC0DB04F8EE0
Windows6.1-KB2736418-ia64.msuD6F17DCDEC64753B932C796BA9E39CF7FBC34B6DA796299F9E7ECC98738211F8669C1FDCB496DF340FF00EBF13EA136C7B1D6943
Windows6.1-KB2736418-x64.msu7DD6936DD2CF338DB1AE2EDFEA8FBAC6D089C484B663BE83A5B429F6DA9221AEE8E80A0C7E2353F5182BD042B62713CB3108E3C4
Windows6.1-KB2736418-x86.msu014BEBBAA5E33345456B8C4583040333673BD3E3ACC5DD40C3B00628A5B5F4E66CF810CC3D6AACF4C17D58B6BB9E36527D004DC1
Windows6.1-KB2736422-ia64.msuAA0D30E6C0C2495A61AF74D0AFCB0AD432810EA983BDFDA8FC1AF4B9407CE3DF89A11D3B1CA9043FA2D0B0C36C5A769ABD32E540
Windows6.1-KB2736422-x64.msu8012D0310C4E3A74FBB64EA25D7F6050EC0192010D992E873F7BE6D52F8A8FC53716FCBCB9E38B4E1C3D9EC4497112741FA97C60
Windows6.1-KB2736422-x86.msuA7853ADD16B14609C9B34348B52878B15EB9410FAA85481D1FD59E56D46FE86127456A56A945956CEB3DF110A6A9B77C765216BA
Windows8-RT-KB2736693-x64.msuFA7526CC57DB70D12FFFD587A6AC1F7C26F0409874069778B8CDFF51D34D441D59FB2EAE6EF22EBE9AC0CCD5CD26B753C7DE789A
Windows8-RT-KB2736693-x86.msuA35F02E2579F7038C013BE7A633A0207C6ADAA4CC6ABCDB241A7C4372F107A0CD5216A4ED1B3A4DE19D9F4EDA6AE60AE589F38C5
Windows8-RT-KB2753596-x64.msu458C4B5E42FF52653F3DB60EEB2AD2A3D18B896209883673056652E84DB240DC487937A1DFF7E8E27F1EAFF5FC9FBD3342AE3543
Collapse this imageExpand this image
Back to the top | Give Feedback

Update replacement information

Update replacement information for each specific update can be found in the Knowledge Base articles that correspond to this update.
Back to the top | Give Feedback

Properties

Article ID: 2769327 - Last Review: January 8, 2013 - Revision: 1.0
Keywords: 
kbsecvulnerability kbsecurity kbsecbulletin kbfix kbexpertiseinter kbbug atdownload KB2769327
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top