News

ASP.NET Core MVC 1.1.0 Vulnerability Guidance

Microsoft's security bulletin describes a security vulnerability that exposes apps targeting ASP.NET Core MVC 1.1.0 to possible denial of service attacks, and issues mitigation guidance.

  • By Michael Domingo
  • 01/31/2017

Microsoft this week issued a security bulletin for a vulnerability that exposes apps targeting ASP.NET Core MVC 1.1.0 to potential denial of service attacks. Microsoft Security Advisor 4010983 specifically notes that it's a publicly known flaw that can affect any project with a "direct or transitive dependency on Microsoft.AspNetCore.Mvc.Core version 1.1.0."

According to the bulletin, only projects that target version 1.1.0 are affected, while those targeting "ASP.NET Core 1.0.0, 1.0.1 or 1.02 are not." As is common with these types of flaws, the vulnerability is enabled when using a malformed HTTP request.

MSA 4010983 notes that updating apps to target a more recent 1.1.1 package or any version newer than that will mitigate the DoS issue. It's worth noting that the bulletin defines corrective measures based on whether your app uses direct or transitive dependencies -- based on how apps target ASP.NET Core MVC, developers need to make sure to review their project's dependency type and take steps to update based on that dependency type. Once an app is updated to use the right package, apps should then be republished.

Microsoft's Rich Lander blogs about the update on the .NET blog on MSDN; in it he links to a Red Hat advisory that contains guidance for Red Hat users (but a subscription is required to read it).

About the Author

Michael Domingo is a long-time software publishing veteran, having started up and managed several developer publications for the Clipper compiler, Microsoft Access, and Visual Basic. He's also managed IT pubs for 1105 Media, including Microsoft Certified Professional Magazine and Virtualization Review before landing his current gig as Visual Studio Magazine Editor in Chief. Besides his publishing life, he's a professional photographer, whose work can be found by Googling domingophoto.

comments powered by Disqus

Featured

  • Mastering Blazor Authentication and Authorization

    At the Visual Studio Live! @ Microsoft HQ developer conference set for August, Rockford Lhotka will explain the ins and outs of authentication across Blazor Server, WebAssembly, and .NET MAUI Hybrid apps, and show how to use identity and claims to customize application behavior through fine-grained authorization.

  • Linear Support Vector Regression from Scratch Using C# with Evolutionary Training

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the linear support vector regression (linear SVR) technique, where the goal is to predict a single numeric value. A linear SVR model uses an unusual error/loss function and cannot be trained using standard simple techniques, and so evolutionary optimization training is used.

  • Low-Code Report Says AI Will Enhance, Not Replace DIY Dev Tools

    Along with replacing software developers and possibly killing humanity, advanced AI is seen by many as a death knell for the do-it-yourself, low-code/no-code tooling industry, but a new report belies that notion.

  • Vibe Coding with Latest Visual Studio Preview

    Microsoft's latest Visual Studio preview facilitates "vibe coding," where developers mainly use GitHub Copilot AI to do all the programming in accordance with spoken or typed instructions.

  • Steve Sanderson Previews AI App Dev: Small Models, Agents and a Blazor Voice Assistant

    Blazor creator Steve Sanderson presented a keynote at the recent NDC London 2025 conference where he previewed the future of .NET application development with smaller AI models and autonomous agents, along with showcasing a new Blazor voice assistant project demonstrating cutting-edge functionality.

Most   Popular

Subscribe on YouTube