Help and Support
 

powered byLive Search

MS07-040: Vulnerabilities in the .NET Framework could allow remote code execution

View products that this article applies to.
Article ID:931212
Last Review:May 7, 2008
Revision:13.0
On This Page

INTRODUCTION

Microsoft has released security bulletin MS07-040. This security bulletin contains all the relevant information about the corresponding security update. This information includes file manifest information and deployment options. To view the complete security bulletin, visit one of the following Microsoft Web sites:
Home users:
http://www.microsoft.com/protect/computer/updates/bulletins/200707.mspx (http://www.microsoft.com/protect/computer/updates/bulletins/200707.mspx)
Skip the details: Download the updates for your home computer or laptop from the Microsoft Update Web site now:
http://update.microsoft.com/microsoftupdate/ (http://update.microsoft.com/microsoftupdate/)
IT professionals:
http://www.microsoft.com/technet/security/bulletin/MS07-040.mspx (http://www.microsoft.com/technet/security/bulletin/MS07-040.mspx)

Back to the top

MORE INFORMATION

Known issues with this security update

The following table lists the known issues with this security update. If you have problems with this security update that are not addressed by these known issues, no-charge support is available for consumers by calling 1-866-PCSAFETY in the United States and Canada or by contacting your local Microsoft subsidiary. For more information about how to contact your local Microsoft subsidiary for security update support issues, visit the International Support Web site:
http://support.microsoft.com/common/international.aspx (http://support.microsoft.com/common/international.aspx)
Enterprise customers can obtain support for security updates through their usual support contacts.

To use the table, look in the top two rows of the table. Locate the column of the appropriate Microsoft Knowledge Base article number for the update that corresponds to the .NET Framework version that you are using. The rows that contain an "X" correspond to a Knowledge Base article that describes a known issue for the .NET Framework version that you are using. Click the article numbers in the left column to view the article.
KB930494
.NET Framework 1.0 SP3		KB928367
.NET Framework 1.0 SP3		KB928366
.NET Framework 1.1 SP1		KB933854
.NET Framework 1.1 SP1		KB929729
.NET Framework 1.1 SP1		KB928365
.NET Framework 2.0		KB929916
.NET Framework 2.0
Microsoft Knowledge Base article MCE and Tablet PC Vista/Windows Server 2003/Windows 2000/Windows XP Windows 2000/Windows XP/Windows Server 2003 x64 and IA-64 Windows Server 2003 x86 Vista Windows Server 2003/Windows XP/Windows 2000 Vista
923100 (http://support.microsoft.com/kb/923100/)XXXXX
923101 (http://support.microsoft.com/kb/923101/)XX
931846 (http://support.microsoft.com/kb/931846/)XX
934229 (http://support.microsoft.com/kb/934229/)XX
934711 (http://support.microsoft.com/kb/934711/)XXXXX
934712 (http://support.microsoft.com/kb/934712/)XX
934793 (http://support.microsoft.com/kb/934793/)XX
936597 (http://support.microsoft.com/kb/936597/)XX
939160 (http://support.microsoft.com/kb/939160/)XXX
939949 (http://support.microsoft.com/kb/939949/)X
940332 (http://support.microsoft.com/kb/940332/)XXX
940521 (http://support.microsoft.com/kb/940521/)X
940947 (http://support.microsoft.com/kb/940947/)X
941386 (http://support.microsoft.com/kb/941386/)XX
941789 (http://support.microsoft.com/kb/941789/)X
942086 (http://support.microsoft.com/kb/942086/)XX
943804 (http://support.microsoft.com/kb/943804/)X
944746 (http://support.microsoft.com/kb/944746/)XX
944925 (http://support.microsoft.com/kb/944925/)X

Microsoft Knowledge Base articles that describe the known issues with this security update

For more information about the known issues that are referenced in this table, click the following article numbers to view the articles in the Microsoft Knowledge Base:
923100 (http://support.microsoft.com/kb/923100/) When you try to install an update for the .NET Framework 1.0, 1.1, or 2.0, you may receive Windows Update error code "0x643" or Windows Installer error code "1603"
923101 (http://support.microsoft.com/kb/923101/) Error message when you try to install a security update for the .NET Framework 2.0 on a computer that is running Windows Server 2003 x64 Edition: "Error 1324. The folder 'Program Files' contains an invalid character"
931846 (http://support.microsoft.com/kb/931846/) You may be unable to execute SQL Server 2005 Integration Services packages that contain script tasks or script components
934229 (http://support.microsoft.com/kb/934229/) The "Add Link to Site" page stops responding, and the link is not added when you try to add a new link to the Site Directory in a SharePoint Portal Server 2003 site
934711 (http://support.microsoft.com/kb/934711/) Error message when you restart the computer after you uninstall a security update for the .NET Framework 1.1: "This application has requested the Runtime to terminate in an unusual way"
934712 (http://support.microsoft.com/kb/934712/) Warning message when you try to install a .NET Framework 1.0 Service Pack 3 or .NET Framework 1.1 Service Pack 1 security update on a Windows Vista-based computer: "An unidentified program wants to access your computer"
934793 (http://support.microsoft.com/kb/934793/) Description of the SharePoint Server 2007 hotfix package: April 12, 2007
936597 (http://support.microsoft.com/kb/936597/) The application or control does not run when you try to run .NET Framework 1.0 HREF tags to point to a managed executable application or to a control
939160 (http://support.microsoft.com/kb/939160/) The file version is rolled back to the version that was installed by the last service pack when you remove some security updates for the .NET Framework 1.1 or for the .NET Framework 1.0
939949 (http://support.microsoft.com/kb/939949/) Error message when you run an application or try to access a Web site on a computer that has a particular .NET Framework 2.0 software update installed: "Culture name 'Culture' is not supported"
940332 (http://support.microsoft.com/kb/940332/) Error message when you install an update for the .NET Framework 1.1 or for the .NET Framework 1.0: "The upgrade patch cannot be installed by the Windows Installer service"
940521 (http://support.microsoft.com/kb/940521/) The behavior of the UTF8Encoding class, the UnicodeEncoding class, and the UTF32Encoding class changes after you install the security update for the .NET Framework 2.0 that is described in security bulletin MS07-040
940947 (http://support.microsoft.com/kb/940947/) Error message after you install security update 931212 (MS07-040) in Windows 2000 with Service Pack 4: "Error 127: the specified procedure could not be found"
941386 (http://support.microsoft.com/kb/941386/) FIX: Error message when you run an ASP.NET 2.0 Web application that is built on the .NET Framework 2.0 after you install the MS07-040 security update: "Type 'System.Web.HttpHeaderCollection' is not marked as serializable"
941789 (http://support.microsoft.com/kb/941789/) You receive error messages after you install security update 931212 (MS07-040) on a Windows SharePoint Services 3.0 Web front-end server or on a SharePoint Server 2007 Web front-end server
942086 (http://support.microsoft.com/kb/942086/) FIX: Error message when you run an ASP.NET 2.0 Web application that is built on the .NET Framework 2.0: "The constructor to deserialize an object of type '<custom object>' was not found"
943804 (http://support.microsoft.com/kb/943804/) FIX: Certain Unicode characters returned by the Application.ExecutablePath property in the .NET Framework 2.0 are displayed as "?"
944746 (http://support.microsoft.com/kb/944746/) FIX: Event ID: 1008 occurs after you apply security update MS07-040 on a computer that has the .NET Framework 1.0 installed
944925 (http://support.microsoft.com/kb/944925/) FIX: You may receive an exception error message when you serialize an ObjRef object between the client computer and the server computer after you install the MS07-040 update on only the client computer

Back to the top

Microsoft Knowledge Base articles that describe the individual packages for this security update

For more information about the individual packages for this security update, click the following article numbers to view the articles in the Microsoft Knowledge Base:
930494 (http://support.microsoft.com/kb/930494/) Description of the security update for the .NET Framework 1.0 Service Pack 3 for Windows XP Media Center and Windows XP Tablet PC: July 10, 2007
928367 (http://support.microsoft.com/kb/928367/) Description of the security update for the .NET Framework 1.0 Service Pack 3 for Windows Vista, Windows Server 2003, Windows XP, and Windows 2000: July 10, 2007
928366 (http://support.microsoft.com/kb/928366/) Description of the security update for the .NET Framework 1.1 Service Pack 1 for Windows XP and Windows 2000: July 10, 2007
933854 (http://support.microsoft.com/kb/933854/) Description of the security update for the .NET Framework 1.1 Service Pack 1 for Windows Server 2003: July 10, 2007
929729 (http://support.microsoft.com/kb/929729/) Description of the security update for the .NET Framework 1.1 Service Pack 1 for Windows Vista: July 10, 2007
928365 (http://support.microsoft.com/kb/928365/) Description of the security update for the .NET Framework 2.0 for Windows Server 2003, Windows XP, and Windows 2000: July 10, 2007
929916 (http://support.microsoft.com/kb/929916/) Description of the security update for the .NET Framework 2.0 for Windows Vista: July 10, 2007

Back to the top

Additional information about this security update

After you install this security update, the behavior of UTF8Encoding, UnicodeEncoding, and UTF32Encoding change to comply to the Unicode 5.0 requirements for Unicode encodings. Unauthorized and invalid bytes are not removed. Instead, they are replaced by the Unicode character U+FFFD, the Unicode replacement character.

For more information about this behavior, click the following article number to view the article in the Microsoft Knowledge Base:
940521 (http://support.microsoft.com/kb/940521/) The behavior of the UTF8Encoding class, the UnicodeEncoding class, and the UTF32Encoding class changes after you install the security update for the .NET Framework 2.0 that is described in security bulletin MS07-040

Back to the top

Affected software

This article applies to the following versions of the Microsoft .NET Framework when used with the corresponding Microsoft operating systems:
The .NET Framework 1.0 Service Pack 3 when used with:
Windows 2000 Service Pack 4
Windows XP Service Pack 2
Windows XP Service Pack 3
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition Service Pack 2
Windows XP Tablet PC Edition 2005
Windows XP Media Center Edition 2005
Windows Server 2003 Service Pack 1
Windows Server 2003 Service Pack 2
Windows Server 2003 for Itanium-based Systems when used with:
Windows Server 2003 Service Pack 1
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition
Windows Server 2003 x64 Edition Service Pack 2
Windows Vista
Windows Vista Service Pack 1
Windows Server 2008
The .NET Framework 1.1 Service Pack 1 when used with:
Windows 2000 Service Pack 4
Windows XP Service Pack 2
Windows XP Service Pack 3
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1
Windows Server 2003 Service Pack 2
Windows Server 2003 for Itanium-based Systems when used with:
Windows Server 2003 Service Pack 1
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition
Windows Server 2003 x64 Edition Service Pack 2
Windows Vista
Windows Vista Service Pack 1
Windows Vista x64 Edition
Windows Vista x64 Edition Service Pack 1
Windows Server 2008
Windows Server 2008 x64 Edition
Windows Server 2008 for Itanium-based Systems
The .NET Framework 2.0 when used with:
Windows 2000 Service Pack 4
Windows XP Service Pack 2
Windows XP Service Pack 3
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1
Windows Server 2003 Service Pack 2
Windows Server 2003 for Itanium-based Systems when used with:
Windows Server 2003 Service Pack 1
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition
Windows Server 2003 x64 Edition Service Pack 2
Windows Vista
Windows Vista x64 Edition

Back to the top

APPLIES TO
Customer Service and Support Information

Back to the top

Keywords: 
kbresolve kbpubtypekc kbfix kbbug kbsecvulnerability kbsecbulletin kbsecurity kbqfe kbexpertisebeginner KB931212

Back to the top

Article Translations

 

Other Support Options

  • Need More Help?
    Contact a Support professional by E-mail, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.