A vulnerability in certain .NET Framework APIs that parse URLs. An attacker who successfully exploits this vulnerability could use it to bypass security logic that's intended to make sure that a user-provided URL belonged to a specific host name or a subdomain of that host name.

Release Channel. Available. Next Step. Windows Update and Microsoft Update. Yes. None. This update will be downloaded and installed automatically from Windows Update.

Prerequisites. To apply this update, you must have .NET Framework 4.8 installed. Restart requirement. You must restart the computer after you apply this update if any affected files are being used.

Note On Jan 12, 2020, a live revision was made to this update to remove its supersedence relationship with the October 13, 2020, .NET Framework security updates. If you have already installed this update, the October 13 .NET Framework updates, or any later .NET Framework updates, you do not have to take any action to be up-to-date for the latest .NET Framework security updates.

Summary. A remote code execution vulnerability exists in .NET software if the software fails to check the source markup of a file. An Authentication Bypass vulnerability exists in WCF and WIF that enables SAML tokens to be signed by using arbitrary symmetric keys.

Symptom. After installing this update, WPF apps may crash with a callstack similar to. Exception Info: System.NullReferenceException at System.Windows.Interop ...