Marshaling of reflection types may not work over DCOM after you install a security update from security bulletin MS14-009

Article translations Article translations
Article ID: 2934830
Expand all | Collapse all

Symptoms

After you install the update that corresponds to Microsoft security bulletin MS14-009 for the Microsoft .NET Framework, marshaling of reflection types may not work as expected over DCOM. Additionally, macro functionality in Microsoft Visual Studio may not work as expected.

For more information about MS14-009, click the following article number to view the article in the Microsoft Knowledge Base:
2916607 MS14-009: Vulnerabilities in the .NET Framework could allow elevation of privilege: February 11, 2014

Cause

Security bulletin MS14-009 for the .NET Framework blocks marshaling for reflection types. The types that are blocked include the following and also any types that are derived from these types.
  • System.Type
  • System.Reflection.Assembly
  • System.Reflection.MemberInfo
  • System.Reflection.Module
  • System.Reflection.MethodBody
  • System.Reflection.ParameterInfo
  • System.Reflection.TypeInfo
  • System.Reflection.MethodInfo
  • System.Reflection.FieldInfo

Workaround

Although most applications will not be affected by this change, if an application has to use reflection over DCOM, you can work around the limitation by adding the AllowDComReflection configuration switch in the <runtime> section of your <Application>.exe.config file as follows:
 
 <?xml version ="1.0"?>
 <configuration>
     <runtime>
         <AllowDComReflection enabled="1"/>
     </runtime>
 </configuration>

Setting this configuration switch will enable an application to use reflection over DCOM.

To safely restore the functionality of Visual Studio macros, update one of the following application configuration files, depending on the version of Visual Studio that is installed on the system.

Collapse this tableExpand this table
VersionFolderFile name
Visual Studio 2005 Service Pack 1 (SP1)\Program Files (x86)\Common Files\Microsoft Shared\VSA\8.0\VsaEnvVsmsvr.exe.config
Visual Studio 2008\Program Files (x86)\Common Files\Microsoft Shared\VSA\9.0\VsaEnvVsmsvr.exe.config
Visual Studio 2010\Program Files (x86)\Common Files\Microsoft Shared\VSA\9.0\VsaEnvVsmsvr10.exe.config

Note For 32-bit installations, the path will be under \Program Files\.

Configuration file modification is the same for all affected versions of Visual Studio. You should add the AllowDComReflection switch in the <runtime> section as follows:
<AllowDComReflection enabled="1"/>

This update blocks reflection types from leaving managed code but not from entering managed code. Therefore, in most cases, you only have to set the configuration switch on the client-side. You should use this configuration switch only for those applications for which the switch has to be set. 

Note You should still secure the connection to the server.

Securing the endpoints

Because untrusted endpoints may be able to elevate their permissions if the configuration switch is used, you must make sure that the endpoint that is sending reflection types can trust the connection to the remote endpoint.

For information about general DCOM security configuration, go to the following Microsoft Developer Network (MSDN) website:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms678426.aspx

For information for users of Enterprise Services (COM+), go to the following MSDN website:
http://msdn.microsoft.com/en-us/library/ms973847.aspx#entserv_topic6

The information in this article applies to:
  • Microsoft .NET Framework 1.0 SP3
  • Microsoft .NET Framework 1.1 SP1
  • Microsoft .NET Framework 2.0 SP2
  • Microsoft .NET Framework 3.5
  • Microsoft .NET Framework 3.5 SP1
  • Microsoft .NET Framework 3.5.1
  • Microsoft .NET Framework 4
  • Microsoft .NET Framework 4.5

Properties

Article ID: 2934830 - Last Review: February 21, 2014 - Revision: 3.0
Keywords: 
kbbug kbexpertiseinter kbsecbulletin kbsecurity kbsecvulnerability KB2934830

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com