Microsoft Updates .NET Core, Issues Remote Code Execution Security Advisory -- Visual Studio Magazine

Microsoft Updates .NET Core, Issues Remote Code Execution Security Advisory

By David Ramel
07/15/2020

Microsoft issued security updates for .NET Core while releasing a security advisory about a remote code execution vulnerability.

"Microsoft is aware of a remote code execution vulnerability exists in .NET software when the software fails to check the source markup of an XML file," the company said in a July 14 blog post. "An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.

"A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an ASP.NET Core application, or other application that parses certain types of XML."

The updates -- .NET Core 2.1.20 and .NET Core 3.1.6 -- restrict the types that are allowed to be present in the XML payload in order to address the vulnerability.

Additional fixes in the release cover a variety of issues in CoreCLR (the runtime for .NET Core), CoreFX (the foundational class libraries for .NET Core) and ASP.NET Core, the web framework.

Getting the update requires downloading .NET Core 3.1.6 and .NET Core SDK and/or .NET Core 2.1.20 and .NET Core SDK,

The fix will be baked in to a future update of the Visual Studio IDE.

More information about the vulnerability can be found in CVE-2020-1147

About the Author

David Ramel is an editor and writer for Converge360.

Printable Format

comments powered by Disqus

Featured

Data Anomaly Detection Using a Neural Autoencoder with C#

Dr. James McCaffrey of Microsoft Research tackles the process of examining a set of source data to find data items that are different in some way from the majority of the source items.
What's New for Python, Java in Visual Studio Code

Microsoft announced March 2024 updates to its Python and Java extensions for Visual Studio Code, the open source-based, cross-platform code editor that has repeatedly been named the No. 1 tool in major development surveys.
Microsoft Build 2024 Sessions Listed: Copilots, Copilots & More Copilots

Microsoft today announced the session catalog for its Build developer conference next month in Seattle, with AI unsurprisingly dominating the event.
Microsoft Unifying Copilot Tools in Visual Studio 2022

Next month developers will no longer need to install two different extensions to use GitHub Copilot and Copilot Chat in Visual Studio 2022, as Microsoft is combining the two tools into a single package.
Copilot Chat Expands in Visual Studio Code

The Copilot chat feature now includes inline chat improvements, one in preview, along with commit message generation enhancements and workspace creation improvements.

Subscribe on YouTube

.NET Insight

Email Address*Country*

Please type the letters/numbers you see above.

Upcoming Training Events

0 AM

Visual Studio Live! Chicago
April 29-May 3, 2024

VSLive! 2-Day Training Seminar: Building Cloud-Ready, Resilient Systems in .NET
June 4-5, 2024

VSLive! 4-Day Hands-On Training Seminar: Full Stack Hands-On Development with .NET (Core)
July 16-19, 2024

Visual Studio Live! Microsoft HQ
August 5-9, 2024

Live! 360 2-Day Hands-On Seminar: Swimming in the Lakes of Microsoft Fabric and AI - A Hands-on Experience
August 20-21, 2024

VSLive! 4-Day Hands-On Training Seminar: Hands-on with Blazor
September 17-20, 2024

VSLive! 2-Day Hands-On Training Seminar: Developing Secure ASP.NET Web Apps
September 24-25, 2024

Live! 360 Orlando
November 17-22, 2024

VSLive! 4-Day Hands-On Training Seminar: Full Stack Hands-On Development with .NET (Core)
December 10-13, 2024

Free Webcasts

> More Webcasts