News

Microsoft Updates .NET Core, Issues Remote Code Execution Security Advisory

Microsoft issued security updates for .NET Core while releasing a security advisory about a remote code execution vulnerability.

"Microsoft is aware of a remote code execution vulnerability exists in .NET software when the software fails to check the source markup of an XML file," the company said in a July 14 blog post. "An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.

"A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an ASP.NET Core application, or other application that parses certain types of XML."

The updates -- .NET Core 2.1.20 and .NET Core 3.1.6 -- restrict the types that are allowed to be present in the XML payload in order to address the vulnerability.

Additional fixes in the release cover a variety of issues in CoreCLR (the runtime for .NET Core), CoreFX (the foundational class libraries for .NET Core) and ASP.NET Core, the web framework.

Getting the update requires downloading .NET Core 3.1.6 and .NET Core SDK and/or .NET Core 2.1.20 and .NET Core SDK,

The fix will be baked in to a future update of the Visual Studio IDE.

More information about the vulnerability can be found in CVE-2020-1147

About the Author

David Ramel is an editor and writer at Converge 360.

comments powered by Disqus

Featured

  • Windows Community Toolkit v8.2 Adds Native AOT Support

    Microsoft shipped Windows Community Toolkit v8.2, an incremental update to the open-source collection of helper functions and other resources designed to simplify the development of Windows applications. The main new feature is support for native ahead-of-time (AOT) compilation.

  • New 'Visual Studio Hub' 1-Stop-Shop for GitHub Copilot Resources, More

    Unsurprisingly, GitHub Copilot resources are front-and-center in Microsoft's new Visual Studio Hub, a one-stop-shop for all things concerning your favorite IDE.

  • Mastering Blazor Authentication and Authorization

    At the Visual Studio Live! @ Microsoft HQ developer conference set for August, Rockford Lhotka will explain the ins and outs of authentication across Blazor Server, WebAssembly, and .NET MAUI Hybrid apps, and show how to use identity and claims to customize application behavior through fine-grained authorization.

  • Linear Support Vector Regression from Scratch Using C# with Evolutionary Training

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the linear support vector regression (linear SVR) technique, where the goal is to predict a single numeric value. A linear SVR model uses an unusual error/loss function and cannot be trained using standard simple techniques, and so evolutionary optimization training is used.

  • Low-Code Report Says AI Will Enhance, Not Replace DIY Dev Tools

    Along with replacing software developers and possibly killing humanity, advanced AI is seen by many as a death knell for the do-it-yourself, low-code/no-code tooling industry, but a new report belies that notion.

Most   Popular

Subscribe on YouTube