You are currently offline, waiting for your internet to reconnect

After you apply security update 3141780, .NET Framework applications encounter exception errors or unexpected failures while processing files that contain SignedXml

Summary
After you install any of the 3141780 security updates (described in Microsoft security bulletin MS16-035), .NET Framework applications may encounter exception errors or unexpected failures when they are processing files that contain SignedXml.
More information
ImportantThis section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756How to back up and restore the registry in Windows

Scenario 1

Scenario 1 symptoms

Managed applications return an error exception that has the following signature:

System.Security.Cryptography.CryptographicException: Unable to resolve Uri [FileOrUrl].


Example

System.Security.Cryptography.CryptographicException: Unable to resolve Uri testfile.xml.

Scenario 1 resolution

Customers can apply the following registry key to their system:

Registry entry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security@SignedXmlAllowDetachedSignature=1


.Reg file available for download

To resolve this problem, click the appropriate link, and then double-click the downloaded file to make the registry changes.

SignedXml-ExternalReferences.reg (32-bit process on 32-bit system and 64-bit process on 64-bit system)

SignedXml-ExternalReferences.Wow6432.reg (32-bit process on 64-bit system)

Notes
  • This registry entry should be a DWORD entry.
  • This registry entry restores the previous behavior of opening or downloading a resource that is external to the document being verified to compute its digest.
Warning Enabling this registry key could allow security vulnerabilities including Denial of Service, Distributed Reflection Denial of Service, Information Disclosure, Signature Bypass, and Remote Code Execution.

Scenario 2

Scenario 2 symptoms

Signature verification fails when success was expected.

Scenario 2 resolution

If the content contains the following signature block, consider applying the provided registry entry:

Signature block example

<Document>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="...">
<Transforms></Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>…</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>…</SignatureValue>
</Signature>

</Document>

Registry entry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\SafeTransformMethods@XmlDsigXPathTransform=http://www.w3.org/TR/1999/REC-xpath-19991116


.Reg file available for download

To resolve this problem, click the appropriate link, and then double-click the downloaded file to make the registry changes.

XmlDSigXPathTransform.reg (32-bit process on 32-bit system and 64-bit process on 64-bit system)

XmlDSigXPathTransform.Wow6432.reg (32-bit process on 64-bit system)

If the signature block contains the following text, consider applying the provided registry entry:

Signature block example

<Document>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="...">
<Transforms></Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>…</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>…</SignatureValue>
</Signature>

</Document>

Registry entry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\SafeTransformMethods@XmlDsigXsltTransform=http://www.w3.org/TR/1999/REC-xslt-19991116

.Reg file available for download

To resolve this problem, click the appropriate link, and then double-click the downloaded file to make the registry changes.

XmlDSigXsltTransform.reg (32-bit process on 32-bit system and 64-bit process on 64-bit system)

XmlDSigXsltTransform.Wow6432.reg (32-bit process on 64-bit system)

Note By default, only those XML Signature Transforms that are provided by the .NET Framework and do not accept input from the signed document are enabled. To enable input-accepting transforms or custom transforms, the registered URI for that transform must be specified as the data of a REG_SZ-typed value within this registry key. The name of the value is not processed, and it can be anything that the computer administrator chooses.

Warning The XPath and XSLT transforms allow the document sender to construct documents that are computationally expensive. This could cause a Denial of Service situation.
malicious attacker exploit
Properties

Article ID: 3148821 - Last Review: 03/16/2016 20:51:00 - Revision: 5.0

Microsoft .NET Framework 4.6.1, Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.0 Service Pack 2, Microsoft .NET Framework 2.0 Service Pack 2

  • kbbug kbexpertiseinter kbsecbulletin kbsecurity kbsecvulnerability kbsurveynew kbregistry KB3148821
Feedback
om/ms.js"> one; " src="https://c1.microsoft.com/c.gif?DI=4050&did=1&t=">kTracking = 1; var varCustomerTracking = 1; var Route = "76500"; var Ctrl = ""; document.write(" g = 1; var Route = "76500"; var Ctrl = ""; document.write(" 050&did=1&t=">