MS14-057: Vulnerabilities in the .NET Framework could allow remote code execution: October 14, 2014


Introduction


This security update resolves the following:
  • The vulnerabilities that could allow remote code execution if an attacker sends a specially crafted URL request that contains international characters to a Microsoft .NET web application.
  • The vulnerabilities that could allow elevation of privilege by improving how Microsoft .NET Framework communicates with the ClickOnce installer process. 
  • A security feature bypass vulnerability that could let an attacker bypass the Address Space Layout Randomization (ASLR) security feature. An attacker could use this ASLR bypass vulnerability together with another vulnerability, such as a remote code execution vulnerability, to take advantage of the ASLR bypass to run arbitrary code.

Summary


Microsoft has released security bulletin MS14-057. Learn more about how to obtain the fixes that are included in this security bulletin: 

How to obtain help and support for this security update

Help installing updates: Support for Microsoft Update

Security solutions for IT professionals: TechNet Security Troubleshooting and Support

Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center

Local support according to your country: International Support

More Information


More information about this update

The following articles contain additional information about this update as it relates to individual product versions. The articles may contain specific information to the individual updates such as a download URL, prerequisites, and command-line switches. 
Microsoft .NET Framework 4.5, the .NET Framework 4.5.1, and the .NET Framework 4.5.2
  • 2979578  MS14-057: Description of the security update for the .NET Framework 4.5, the .NET Framework 4.5.1, and the .NET Framework 4.5.2 for Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, and Windows Server 2008 R2 SP1: October 14, 2014
  • 2972107  MS14-057: Description of the security update for the .NET Framework 4.5, the .NET Framework 4.5.1, and the .NET Framework 4.5.2 for Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, and Windows Server 2008 R2 SP1: October 14, 2014
  • 2979577  MS14-057: Description of the security update for the .NET Framework 4.5, the .NET Framework 4.5.1, and the .NET Framework 4.5.2 for Windows 8, Windows RT, and Windows Server 2012: October 14, 2014
  • 2978042  MS14-057: Description of the security update for the .NET Framework 4.5, the .NET Framework 4.5.1, and the .NET Framework 4.5.2 for Windows 8, Windows RT, and Windows Server 2012: October 14, 2014
  • 2979576  MS14-057: Description of the security update for the .NET Framework 4.5.1 and the .NET Framework 4.5.2 for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2: October 14, 
  • 2978041  MS14-057: Description of the security update for the .NET Framework 4.5.1 and the .NET Framework 4.5.2 for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2: October 14, 2014
Microsoft .NET Framework 4
  • 2979575  MS14-057: Description of the security update for the .NET Framework 4 for Windows Server 2003 SP2, Windows Server 2008 SP2, Windows 7 SP1, and Windows Server 2008 R2 SP1: October 14, 2014
  • 2972106  MS14-057: Description of the security update for the .NET Framework 4 for Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, and Windows Server 2008 R2 SP1: October 14, 2014
Microsoft .NET Framework 3.5.1
  • 2979570  MS14-057: Description of the security update for the .NET Framework 3.5.1 for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: October 14, 2014
  • 2972100  MS14-057: Description of the security update for the .NET Framework 3.5.1 for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: October 14, 2014
  • 2968294  MS14-057: Description of the security update for the .NET Framework 3.5.1 for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: October 14, 2014
Microsoft .NET Framework 3.5
  • 2979573  MS14-057: Description of the security update for the .NET Framework 3.5 for Windows 8.1 and Windows Server 2012 R2: October 14, 2014
  • 2972103  MS14-057: Description of the security update for the .NET Framework 3.5 for Windows 8.1 and Windows Server 2012 R2: October 14, 2014
  • 2968296  MS14-057: Description of the security update for the .NET Framework 3.5 for Windows 8.1 and Windows Server 2012 R2: October 14, 2014
  • 2979571  MS14-057: Description of the security update for the .NET Framework 3.5 for Windows 8 and Windows Server 2012: October 14, 2014
  • 2972101  MS14-057: Description of the security update for the .NET Framework 3.5 for Windows 8 and Windows Server 2012: October 14, 2014
  • 2968295  MS14-057: Description of the security update for the .NET Framework 3.5 for Windows 8 and Windows Server 2012: October 14, 2014
Microsoft .NET Framework 2.0
  • 2979568  MS14-057: Description of the security update for the .NET Framework 2.0 Service Pack 2 for Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2: October 14, 2014
  • 2972098  MS14-057: Description of the security update for the .NET Framework 2.0 Service Pack 2 for Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2: October 14, 2014
  • 2979574  MS14-057: Description of the security update for the .NET Framework 2.0 Service Pack 2 for Windows Server 2003 Service Pack 2: October 14, 2014
  • 2972105  MS14-057: Description of the security update for the .NET Framework 2.0 Service Pack 2 for Windows Server 2003 Service Pack 2: October 14, 2014
  • 2968292  MS14-057: Description of the security update for the .NET Framework 2.0 Service Pack 2 for Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2: October 14, 2014

Update replacement information

Update replacement information for each specific update can be found in the Knowledge Base articles that correspond to this update.

Applies to

This article applies to the following:
  • Microsoft .NET Framework 4.5.2 when used with:
    • Windows 8.1
    • Windows RT 8.1
    • Windows Server 2012 R2
    • Windows 8
    • Windows RT
    • Windows Server 2012
    • Windows 7 Service Pack 1
    • Windows Server 2008 R2 Service Pack 1
    • Windows Vista Service Pack 2
    • Windows Server 2008 Service Pack 2
  • Microsoft .NET Framework 4.5.1 when used with:
    • Windows 8.1
    • Windows RT 8.1
    • Windows Server 2012 R2
    • Windows 8
    • Windows RT
    • Windows Server 2012
    • Windows 7 Service Pack 1
    • Windows Server 2008 R2 Service Pack 1
    • Windows Vista Service Pack 2
    • Windows Server 2008 Service Pack 2
  • Microsoft .NET Framework 4.5 when used with:
    • Windows 8.1
    • Windows RT 8.1
    • Windows Server 2012 R2
    • Windows 8
    • Windows RT
    • Windows Server 2012
    • Windows 7 Service Pack 1
    • Windows Server 2008 R2 Service Pack 1
    • Windows Vista Service Pack 2
    • Windows Server 2008 Service Pack 2
  • Microsoft .NET Framework 4 when used with:
    • Windows 7 Service Pack 1
    • Windows Server 2008 R2 Service Pack 1
    • Windows Server 2008 Service Pack 2
    • Windows Server 2003 Service Pack 2
  • Microsoft .NET Framework 3.5.1 when used with:
    • Windows 7 Service Pack 1
    • Windows Server 2008 R2 Service Pack 1
  • Microsoft .NET Framework 3.5 when used with:
    • Windows 8.1
    • Windows Server 2012 R2
    • Windows 8
    • Windows Server 2012
  • Microsoft .NET Framework 2.0 Service Pack 2 when used with:
    • Windows Vista Service Pack 2
    • Windows Server 2008 Service Pack 2
    • Windows Server 2003 Service Pack 2