How to obtain help and support for this security update. Help installing updates: Support for Microsoft Update Security solutions for IT professionals: TechNet Security Troubleshooting and Support Help protect your Windows-based computer from viruses and malware: Virus Solution and Security Center Local support according to your country: International Support

September 10, 2019-KB4514354 Cumulative Update for .NET Framework 4.8 for Windows 10 Version 1607

WPF 1 - Addresses an issue when rapid typing using an IME can crash via FailFast. - Addresses an issue where Thaana characters displayed in left-to-right order.

Summary. A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An Authentication Bypass vulnerability exists in WCF and WIF, allowing signing of SAML tokens with arbitrary symmetric keys.

Additional information about this security update. For more information about this security update as it relates to Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2, see the following article in the Microsoft Knowledge Base:

IMPORTANT Some customers who use Windows Server 2008 R2 SP1 and have activated their ESU multiple activation key (MAK) add-on before installing the January 14, 2020 updates might need to re-activate their key. Re-activation on the affected devices should only be required once. For information on activation, see this blog post.

The updates are now available for installation through WSUS. Update deployment information. For deployment details for this security update, go to the following article in the Microsoft Knowledge Base:

Summary. A remote code execution vulnerability exists in .NET Framework when the software fails to check the source markup of XML file input. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the process responsible for deserialization of the XML content.

Release Channel. Available. Next Step. Windows Update and Microsoft Update. Yes. None. This update will be downloaded and installed automatically from Windows Update.

A vulnerability in certain .NET Framework APIs that parse URLs. An attacker who successfully exploits this vulnerability could use it to bypass security logic that's intended to make sure that a user-provided URL belonged to a specific host name or a subdomain of that host name.