MS16-035: Security update for the .NET Framework to address security feature bypass

Applies to: .NET Framework 4.6.1.NET Framework 4.6.NET Framework 3.5.1

October 11, 2016 Revised bulletin to announce that security updates 3135994 and 3135995  for the Microsoft .NET Framework 4.5.2 on Windows Server 2012, Windows 8.1 and Windows Server 2012 R2 have been rereleased to the Windows Server Update Services (WSUS) channel exclusively. This re-release does not apply to Windows Update or Microsoft Update Catalog customers. This re-release addresses an offering issue that prevented certain GDR customers within WSUS environments from receiving these updates if they had enabled the "automatically decline updates when a new revision causes them to expire" feature. There are no changes to the file payload. If you have already successfully deployed updates 3135994 and 3135995 , you do not have to take any action.

May 10, 2016 This security update has been re-released and contains some updated articles. This re-release is intended for LDR (limited distribution release) content customers only. We determined that there were some issues in certain printing scenarios because of a missing dependency. If you use LDR content, we recommend that you apply this updated security update. There are no changes in this re-release for GDR (general distribution release) content customers.

Summary


This update resolves a vulnerability in the Microsoft .NET Framework. The security feature bypass exists in a .NET Framework component that does not correctly validate certain elements of a signed XML document. To learn more about the vulnerability, see Microsoft Security Bulletin MS16-035.

More Information


Important
  • All future security and nonsecurity updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update 2919355 to be installed. We recommend that you install update 2919355 on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates.
  • If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

Additional information about this security update


The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.


.NET Framework 4.6 and 4.6.1


  • 3135998 MS16-035: Description of the security update for the .NET Framework 4.6 and 4.6.1 in Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2: March 8, 2016 See Image
  • 3135997 MS16-035: Description of the security update for the .NET Framework 4.6 and 4.6.1 in Windows Server 2012: March 8, 2016 See Image
  • 3136000 MS16-035: Description of the security update for the .NET Framework 4.6 in Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, and Windows Server 2008 R2 SP1 and 4.6.1 in Windows 7 SP1 and Windows Server 2008 R2 SP1: March 8, 2016 See Image

    Known issues in security update 3136000:
    3149737 Known issue for security update 3136000 for the .NET Framework 4.6.1/4.6 and security update 3135996 for the .NET Framework 4.5.2 in Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, and Windows Server 2008 R2 SP1

.NET Framework 4.5.2

  • 3135994 MS16-035: Description of the security update for the .NET Framework 4.5.2 in Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2: March 8, 2016 See Image
  • 3135995 MS16-035: Description of the security update for the .NET Framework 4.5.2 in Windows Server 2012: March 8, 2016 See Image
  • 3135996 MS16-035: Description of the security update for the .NET Framework 4.5.2 in Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7 Service Pack 1, and Windows Server 2008 R2 Service Pack 1: March 8, 2016


    See Image

    Known issues in security update 3135996:
    3149737 Known issue for security update 3136000 for the .NET Framework 4.6.1/4.6 and security update 3135996 for the .NET Framework 4.5.2 in Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, and Windows Server 2008 R2 SP1

.NET Framework 3.5 and 3.5.1


  • 3135983 MS16-035: Description of the security update for the .NET Framework 3.5.1 in Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: March 8, 2016
  • 3135988 MS16-035: Description of the security update for the .NET Framework 3.5.1 in Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: March 8, 2016
  • 3135985 MS16-035: Description of the security update for the .NET Framework 3.5 in Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2: December 8, 2016
  • 3135991 MS16-035: Description of the security update for the .NET Framework 3.5 in Windows 8.1 and Windows Server 2012 R2: March 8, 2016
  • 3135989 MS16-035: Description of the security update for the .NET Framework 3.5 in Windows Server 2012: March 8, 2016
  • 3135984 MS16-035: Description of the security update for the .NET Framework 3.5 in Windows Server 2012: March 8, 2016

.NET Framework 3.0


  • 3135987 MS16-035: Description of the security update for the .NET Framework 3.0 Service Pack 2 in Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2: March 8, 2016

.NET Framework 2.0


  • 3135982 MS16-035: Description of the security update for the .NET Framework 2.0 Service Pack 2 in Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2: March 8, 2016

Applies to

This article applies to the following:
  • Microsoft .NET Framework 4.6.1 when used with:
    • Windows Server 2012 R2
    • Windows RT 8.1
    • Windows 8.1
    • Windows Server 2012
    • Windows Server 2008 R2 Service Pack 1
    • Windows 7 Service Pack 1
  • Microsoft .NET Framework 4.6 when used with:
    • Windows Server 2012 R2
    • Windows RT 8.1
    • Windows 8.1
    • Windows Server 2012
    • Windows Server 2008 R2 Service Pack 1
    • Windows 7 Service Pack 1
    • Windows Server 2008 Service Pack 2
    • Windows Vista Service Pack 2
  • Microsoft .NET Framework 4.5.2 when used with:
    • Windows Server 2012 R2
    • Windows 8.1
    • Windows RT 8.1
    • Windows Server 2012
    • Windows Server 2008 R2 Service Pack 1
    • Windows 7 Service Pack 1
    • Windows Server 2008 Service Pack 2
    • Windows Vista Service Pack 2
  • Microsoft .NET Framework 3.5.1 when used with:
    • Windows Server 2008 R2 Service Pack 1
    • Windows 7 Service Pack 1
  • Microsoft .NET Framework 3.5 when used with:
    • Windows Server 2012 R2
    • Windows RT 8.1
    • Windows 8.1
    • Windows Server 2012
  • Microsoft .NET Framework 3.0 Service Pack 2 when used with:
    • Windows Server 2008 Service Pack 2
    • Windows Vista Service Pack 2
  • Microsoft .NET Framework 2.0 Service Pack 2 when used with:
    • Windows Server 2008 Service Pack 2
    • Windows Vista Service Pack 2