Microsoft Updates .NET Core, Issues Remote Code Execution Security Advisory -- Visual Studio Magazine

Microsoft Updates .NET Core, Issues Remote Code Execution Security Advisory

By David Ramel
07/15/2020

Microsoft issued security updates for .NET Core while releasing a security advisory about a remote code execution vulnerability.

"Microsoft is aware of a remote code execution vulnerability exists in .NET software when the software fails to check the source markup of an XML file," the company said in a July 14 blog post. "An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.

"A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an ASP.NET Core application, or other application that parses certain types of XML."

The updates -- .NET Core 2.1.20 and .NET Core 3.1.6 -- restrict the types that are allowed to be present in the XML payload in order to address the vulnerability.

Additional fixes in the release cover a variety of issues in CoreCLR (the runtime for .NET Core), CoreFX (the foundational class libraries for .NET Core) and ASP.NET Core, the web framework.

Getting the update requires downloading .NET Core 3.1.6 and .NET Core SDK and/or .NET Core 2.1.20 and .NET Core SDK,

The fix will be baked in to a future update of the Visual Studio IDE.

More information about the vulnerability can be found in CVE-2020-1147

About the Author

David Ramel is an editor and writer at Converge 360.

Printable Format

comments powered by Disqus

Featured

Visual Studio Devs Share Copilot AI Prompts to Improve Code

Microsoft's Mads Kristensen took to social media to ask Visual Studio developers to share their favorite prompts to get GitHub Copilot AI to improve their code.
Azure AI Foundry Gets 'Computer-Using Agent' for Autonomous GUI Interaction

Microsoft is expanding functionality for agentic AI into its Azure AI Foundry platform, furthering one of the hottest areas of development right now where AI controls computers just like humans.
Microsoft Previews GPT-4o Copilot Code Completion and .NET AI Template in Visual Studio

Things are happening quickly in the Microsoft-centric AI dev space, with the company previewing new AI features in Visual Studio 2022 ranging from a new .NET AI template to GPT-4o Copilot Code Completion.
Microsoft Ports TypeScript to Go for 10x Native Performance Gains

Microsoft is revamping its TypeScript programming language with a native compiler and toolset. This effort seeks to address performance challenges, especially in large codebases, by porting the existing TypeScript compiler from TypeScript/JavaScript to the native language, Go.
Uno Platform Takes 'Hot Design' for Cross-Platform .NET Apps to Public Beta

Uno Platform has taken its "Hot Design" feature to public beta, extending the "Hot Reload" paradigm with functionality to visually edit and refine a running app in real-time.