Описание
.NET Framework Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists in .NET Framework which could allow an attacker to elevate their privilege level.
To exploit the vulnerability, an attacker would first have to access the local machine, and then run a malicious program.
The update addresses the vulnerability by correcting how .NET Framework activates COM objects.
FAQ
After I installed the July 2018 updates for .NET Framework, applications fail to start or are not working correctly. What do I need to do to remedy this situation?
Microsoft is aware of multiple customer reports of applications that fail to start or that do not run correctly. Please refer to the following Recommended Actions.
Recommended actions
Customers who have not installed security updates released on July 10 for .NET: Test the updates released on July 10, and if no application errors are found, apply the updates to production.
Customers who have successfully installed security updates released on July 10 for .NET and who are not experiencing any issues: No further action is required.
Customers who have installed security updates released on July 10 for .NET and who are experiencing application errors:
- Register for security notifications mailer to be alerted of any content changes to this advisory and notifications of new updates. See Microsoft Technical Security Notifications.
- Assess the risk of application errors caused by the updates compared to vulnerability exposure risk:
Risk guidance:
Workstations and Terminal servers are the primary target systems where an attacker could have User level access to exploit the vulnerability. In web-application server scenarios, unprivileged users will not typically have system login access. As such, the attack surface is diminished.
- If the risk of application errors is acceptable, then:
- Apply the security updates released on July 10 for .NET to workstations and non-web-application servers.
- Prepare to apply the forthcoming cumulative update, which no longer carries the application errors described in KB4345913. Customers will be notified via an update to this CVE when those updates are available.
- If the risk of application errors is not acceptable, then:
- Remove the security updates released on July 10 for .NET from systems that are showing application errors.
- You will be notifed via an update to this CVE when a limited-distribution update is available in the following days. Apply it to affected web-application servers.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Microsoft .NET Framework 4.6 on Windows Server 2008 for 32-bit Systems Service Pack 2 | ||
| Microsoft .NET Framework 4.6 on Windows Server 2008 for x64-based Systems Service Pack 2 | ||
| Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 | ||
| Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2 | ||
| Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 | ||
| Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 | ||
| Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2 | ||
| Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 | ||
| Microsoft .NET Framework 3.5 on Windows 10 Version 1703 for 32-bit Systems | ||
| Microsoft .NET Framework 3.5 on Windows 10 Version 1703 for x64-based Systems |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
EPSS
Связанные уязвимости
An elevation of privilege vulnerability exists in .NET Framework which could allow an attacker to elevate their privilege level, aka ".NET Framework Elevation of Privilege Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 4.7.2.
An elevation of privilege vulnerability exists in .NET Framework which could allow an attacker to elevate their privilege level, aka ".NET Framework Elevation of Privilege Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 4.7.2.
EPSS