Executive Summary

Summary
Title Insecure ASP.NET Site Configuration Could Allow Elevation of Privilege
Informations
Name KB2905247 First vendor Publication 2013-12-10
Vendor Microsoft Last vendor Modification 1970-01-01
Severity (Vendor) N/A Revision 1.0

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score Not Defined Attack Range Not Defined
Cvss Impact Score Not Defined Attack Complexity Not Defined
Cvss Expoit Score Not Defined Authentication Not Defined
Calculate full CVSS 2.0 Vectors scores

Detail

General Information

Executive Summary

Microsoft is announcing the availability of an update for Microsoft ASP.NET to address a vulnerability in ASP.NET view state that exists when Machine Authentication Code (MAC) validation is disabled through configuration settings. The vulnerability could allow elevation of privilege and affects all supported versions of Microsoft .NET Framework except .NET Framework 3.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1.

Any ASP.NET site for which view state MAC has become disabled through configuration settings is vulnerable to attack. An attacker who successfully exploited the vulnerability could use specially crafted HTTP content to inject code to be run in the context of the service account on the ASP.NET server. Microsoft is aware of general information available publicly that could be used to exploit this vulnerability, but is not aware of any active attacks.

Mitigating Factors:

  • View state MAC is enabled by default for ASP.NET sites.

Recommendation. Microsoft recommends that customers apply the suggested action to ensure that ASP.NET view state MAC remains enabled on ASP.NET sites. Please see the Suggested Actions section of this advisory for more information.

Advisory Details

Vulnerability References

For more information about this vulnerability, see the following references:

ReferencesIdentification
Microsoft Knowledge Base Article2905247

Affected Software

This advisory discusses the following software.

Operating SystemComponentBulletins Replaced
Windows XP
Windows XP Service Pack 3Microsoft .NET Framework 2.0 Service Pack 2
(2894843)		2656352 in MS11-100
Windows XP Service Pack 3Microsoft .NET Framework 4[1]
(2894842)		2656351 in MS11-100
Windows Server 2003
Windows Server 2003 Service Pack 2Microsoft .NET Framework 1.1 Service Pack 1
(2894845)		None
Windows Server 2003 Service Pack 2Microsoft .NET Framework 2.0 Service Pack 2
(2894843)		2656352 in MS11-100
Windows Server 2003 Service Pack 2Microsoft .NET Framework 4[1]
(2894842)		2656351 in MS11-100
Windows Server 2003 x64 Edition Service Pack 2Microsoft .NET Framework 2.0 Service Pack 2
(2894843)		2656352 in MS11-100
Windows Server 2003 x64 Edition Service Pack 2Microsoft .NET Framework 4[1]
(2894842)		2656351 in MS11-100
Windows Server 2003 with SP2 for Itanium-based SystemsMicrosoft .NET Framework 2.0 Service Pack 2
(2894843)		2656352 in MS11-100
Windows Server 2003 with SP2 for Itanium-based SystemsMicrosoft .NET Framework 4[1]
(2894842)		2656351 in MS11-100
Windows Vista
Windows Vista Service Pack 2Microsoft .NET Framework 2.0 Service Pack 2
(2894847)		2656362 in MS11-100
Windows Vista Service Pack 2Microsoft .NET Framework 4[1]
(2894842)		2656351 in MS11-100
Windows Vista Service Pack 2Microsoft .NET Framework 4.5
(2894849)		None
Windows Vista Service Pack 2Microsoft .NET Framework 4.5.1
(2894854)		None
Windows Vista x64 Edition Service Pack 2Microsoft .NET Framework 2.0 Service Pack 2
(2894847)		2656362 in MS11-100
Windows Vista x64 Edition Service Pack 2Microsoft .NET Framework 4[1]
(2894842)		2656351 in MS11-100
Windows Vista x64 Edition Service Pack 2Microsoft .NET Framework 4.5
(2894849)		None
Windows Vista x64 Edition Service Pack 2Microsoft .NET Framework 4.5.1
(2894854)		None
Windows Server 2008
Windows Server 2008 for 32-bit Systems Service Pack 2Microsoft .NET Framework 2.0 Service Pack 2
(2894847)		2656362 in MS11-100
Windows Server 2008 for 32-bit Systems Service Pack 2Microsoft .NET Framework 4[1]
(2894842)		2656351 in MS11-100
Windows Server 2008 for 32-bit Systems Service Pack 2Microsoft .NET Framework 4.5
(2894849)		None
Windows Server 2008 for 32-bit Systems Service Pack 2Microsoft .NET Framework 4.5.1
(2894854)		None
Windows Server 2008 for x64-based Systems Service Pack 2Microsoft .NET Framework 2.0 Service Pack 2
(2894847)		2656362 in MS11-100
Windows Server 2008 for x64-based Systems Service Pack 2Microsoft .NET Framework 4[1]
(2894842)		2656351 in MS11-100
Windows Server 2008 for x64-based Systems Service Pack 2Microsoft .NET Framework 4.5
(2894849)		None
Windows Server 2008 for x64-based Systems Service Pack 2Microsoft .NET Framework 4.5.1
(2894854)		None
Windows Server 2008 for Itanium-based Systems Service Pack 2Microsoft .NET Framework 2.0 Service Pack 2
(2894847)		2656362 in MS11-100
Windows Server 2008 for Itanium-based Systems Service Pack 2Microsoft .NET Framework 4[1]
(2894842)		2656351 in MS11-100
Windows 7
Windows 7 for 32-bit Systems Service Pack 1Microsoft .NET Framework 3.5.1
(2894844)		None
Windows 7 for 32-bit Systems Service Pack 1Microsoft .NET Framework 4[1]
(2894842)		2656351 in MS11-100
Windows 7 for 32-bit Systems Service Pack 1Microsoft .NET Framework 4.5
(2894849)		None
Windows 7 for 32-bit Systems Service Pack 1Microsoft .NET Framework 4.5.1
(2894854)		None
Windows 7 for x64-based Systems Service Pack 1Microsoft .NET Framework 3.5.1
(2894844)		None
Windows 7 for x64-based Systems Service Pack 1Microsoft .NET Framework 4[1]
(2894842)		2656351 in MS11-100
Windows 7 for x64-based Systems Service Pack 1Microsoft .NET Framework 4.5
(2894849)		None
Windows 7 for x64-based Systems Service Pack 1Microsoft .NET Framework 4.5.1
(2894854)		None
Windows Server 2008 R2
Windows Server 2008 R2 for x64-based Systems Service Pack 1Microsoft .NET Framework 3.5.1
(2894844)		None
Windows Server 2008 R2 for x64-based Systems Service Pack 1Microsoft .NET Framework 4[1]
(2894842)		2656351 in MS11-100
Windows Server 2008 R2 for x64-based Systems Service Pack 1Microsoft .NET Framework 4.5
(2894849)		None
Windows Server 2008 R2 for x64-based Systems Service Pack 1Microsoft .NET Framework 4.5.1
(2894854)		None
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1Microsoft .NET Framework 3.5.1
(2894844)		None
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1Microsoft .NET Framework 4[1]
(2894842)		2656351 in MS11-100
Windows 8 and Windows 8.1
Windows 8 for 32-bit SystemsMicrosoft .NET Framework 3.5
(2894851)		None
Windows 8 for 32-bit SystemsMicrosoft .NET Framework 4.5
(2894850)		None
Windows 8 for 32-bit SystemsMicrosoft .NET Framework 4.5.1
(2894855)		None
Windows 8 for 64-bit SystemsMicrosoft .NET Framework 3.5
(2894851)		None
Windows 8 for 64-bit SystemsMicrosoft .NET Framework 4.5
(2894850)		None
Windows 8 for 64-bit SystemsMicrosoft .NET Framework 4.5.1
(2894855)		None
Windows 8.1 for 32-bit SystemsMicrosoft .NET Framework 3.5
(2894852)		None
Windows 8.1 for 32-bit SystemsMicrosoft .NET Framework 4.5.1
(2894856)		None
Windows 8.1 for 64-bit SystemsMicrosoft .NET Framework 3.5
(2894852)		None
Windows 8.1 for 64-bit SystemsMicrosoft .NET Framework 4.5.1
(2894856)		None
Windows Server 2012 and Windows Server 2012 R2
Windows Server 2012Microsoft .NET Framework 3.5
(2894851)		None
Windows Server 2012Microsoft .NET Framework 4.5
(2894850)		None
Windows Server 2012Microsoft .NET Framework 4.5.1
(2894855)		None
Windows Server 2012 R2Microsoft .NET Framework 3.5
(2894852)		None
Windows Server 2012 R2Microsoft .NET Framework 4.5.1
(2894856)		None
Windows RT and Windows RT 8.1
Windows RTMicrosoft .NET Framework 4.5
(2894850)		None
Windows RTMicrosoft .NET Framework 4.5.1
(2894855)		None
Windows RT 8.1Microsoft .NET Framework 4.5.1
(2894856)		None
Server Core installation option
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Microsoft .NET Framework 3.5.1
(2894844)		None
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Microsoft .NET Framework 4[1]
(2894842)		2656351 in MS11-100
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Microsoft .NET Framework 4.5
(2894849)		None
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Microsoft .NET Framework 4.5.1
(2894854)		None
Windows Server 2012 (Server Core installation)Microsoft .NET Framework 3.5
(2894851)		None
Windows Server 2012 (Server Core installation)Microsoft .NET Framework 4.5
(2894850)		None
Windows Server 2012 (Server Core installation)Microsoft .NET Framework 4.5.1
(2894855)		None
Windows Server 2012 R2 (Server Core installation)Microsoft .NET Framework 3.5
(2894852)		None
Windows Server 2012 R2 (Server Core installation)Microsoft .NET Framework 4.5.1
(2894856)		None

[1].NET Framework 4 and .NET Framework 4 Client Profile affected. The .NET Framework version 4 redistributable packages are available in two profiles: .NET Framework 4 and .NET Framework 4 Client Profile. .NET Framework 4 Client Profile is a subset of .NET Framework 4. The vulnerability addressed in this update affects both .NET Framework 4 and .NET Framework 4 Client Profile. For more information, see the MSDN article, Installing the .NET Framework.

Non-Affected Software
Microsoft .NET Framework 1.0 Service Pack 3
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 Service Pack 1

Advisory FAQ

What is the scope of the advisory?
The purpose of this advisory is to notify customers that Microsoft is publishing an update to enable administrators to configure their ASP.NET servers to ensure that view state MAC remains enabled at all times, as well as to provide general guidance on how to enable view state MAC on IIS servers.

What is view state?
View state is an ASP.NET feature that enables web developers to maintain page state and persist data in a web form across POST requests, or page updates and changes. View state is used prevalently by ASP.NET developers and, as such, is ubiquitous throughout ASP.NET sites. View state is always parsed, even if the EnableViewState property is set to False. For more information, see Understanding ASP.NET View State.

Will disabling view state mitigate the vulnerability?
No. View state is always parsed by the ASP.NET server, even when EnableViewState is set to False, regardless of whether or not the property is set in web.config, the @Page directive, or an ASP.NET tag. It is possible for an attacker to inject a view state property into a client post, bypassing the EnableViewState setting.

What is view state MAC Validation?
View state MAC (Machine Authentication Code) validation is a feature that causes ASP.NET to generate a hash of the view state data at page generation time. The hash is later used for comparison to the view state on a later postback, allowing the server to verify whether or not view state has been tampered with. This technology ensures that postback data has not been modified improperly and mitigates the vulnerability described in this advisory.

What might an attacker use the vulnerability to do?
In most scenarios, an attacker who successfully exploited this vulnerability could elevate privileges to the level of the service account running on the vulnerable ASP.NET site (one with an improperly configured view state MAC).

How could an attacker exploit the vulnerability?
An unauthenticated attacker could send specially crafted HTTP content to the targeted server, potentially allowing the attacker to run code on the server in the context of the service account running on the ASP.NET site.

What does the update do?
The update addresses the vulnerability by causing view state MAC to be enabled at all times, removing the ability to disable it on the server.

What additional actions must customers take following the installation of the update?
The nature of the fix requires that some customers, particularly those using ASP.NET in a web farm, take additional actions to ensure consistent availability of their ASP.NET sites. See the Suggested Actions section below for additional configuration steps.

How do I determine which version of the Microsoft .NET Framework is installed?
You can install and run multiple versions of the .NET Framework on a system, and you can install the versions in any order. There are several ways to determine which versions of the .NET Framework are currently installed. For more information, see Microsoft Knowledge Base Article 318785.

What is the difference between .NET Framework 4 and .NET Framework 4 Client Profile?
The .NET Framework version 4 redistributable packages are available in two profiles: .NET Framework 4 and .NET Framework 4 Client Profile. The .NET Framework 4 Client Profile is a subset of the .NET Framework 4 profile that is optimized for client applications. It provides functionality for most client applications, including Windows Presentation Foundation (WPF), Windows Forms, Windows Communication Foundation (WCF), and ClickOnce features. This enables faster deployment and a smaller install package for applications that target the .NET Framework 4 Client Profile. For more information, see the MSDN article, .NET Framework Client Profile.

I have .NET Framework 3.0 Service Pack 2 installed; this version is not listed among the affected software in this bulletin. Do I need to install an update?
This bulletin describes a vulnerability that affects the .NET Framework 2.0 feature layer. The .NET Framework 3.0 Service Pack 2 installer chains in the .NET Framework 2.0 Service Pack 2 setup, so installing the former also installs the latter. Therefore, customers who have.NET Framework 3.0 Service Pack 2 installed need to install security updates for .NET Framework 2.0 Service Pack 2.

I have .NET Framework 3.5 Service Pack 1 installed. Do I need to install any updates?
This bulletin describes a vulnerability that affects the .NET Framework 2.0 feature layer. The .NET Framework 3.5 Service Pack 1 installer chains in both the .NET Framework 2.0 Service Pack 2 setup and the .NET Framework 3.0 Service Pack 2 setup. Therefore, customers who have .NET Framework 3.5 Service Pack 1 installed need to install security updates for.NET Framework 2.0 Service Pack 2.

Are updates available for Preview editions of Microsoft Windows and Release Candidate editions of Microsoft .NET Framework?
Yes. Updates are available for the Preview editions of Microsoft Windows and Release Candidate editions of Microsoft .NET Framework listed in the table below. Customers running any of these software combinations are encouraged to apply the updates for their systems. The updates are available from the Microsoft Download Center

Windows Vista Service Pack 2Microsoft .NET Framework 4.5.1 Release Candidate
(2895210)
Windows Vista x64 Edition Service Pack 2Microsoft .NET Framework 4.5.1 Release Candidate
(2895210)
Windows Server 2008 for 32-bit Systems Service Pack 2Microsoft .NET Framework 4.5.1 Release Candidate
(2895210)
Windows Server 2008 for x64-based Systems Service Pack 2Microsoft .NET Framework 4.5.1 Release Candidate
(2895210)
Windows 7 for 32-bit Systems Service Pack 1Microsoft .NET Framework 4.5.1 Release Candidate
(2895210)
Windows 7 for x64-based Systems Service Pack 1Microsoft .NET Framework 4.5.1 Release Candidate
(2895210)
Windows Server 2008 R2 for x64-based Systems Service Pack 1Microsoft .NET Framework 4.5.1 Release Candidate
(2895210)
Windows 8 for 32-bit SystemsMicrosoft .NET Framework 4.5.1 Release Candidate
(2894855)
Windows 8 for 64-bit SystemsMicrosoft .NET Framework 4.5.1 Release Candidate
(2894855)
Windows 8.1 Preview for 32-bit SystemsMicrosoft .NET Framework 3.5
(2895209)
Windows 8.1 Preview for 32-bit SystemsMicrosoft .NET Framework 4.5.1
(2901550)
Windows 8.1 Preview for 64-bit SystemsMicrosoft .NET Framework 3.5
(2895209)
Windows 8.1 Preview for 64-bit SystemsMicrosoft .NET Framework 4.5.1
(2901550)
Windows Server 2012Microsoft .NET Framework 4.5.1 Release Candidate
(2894855)
Windows Server 2012 R2 PreviewMicrosoft .NET Framework 3.5
(2895209)
Windows Server 2012 R2 PreviewMicrosoft .NET Framework 4.5.1
(2901550)
Windows RTMicrosoft .NET Framework 4.5.1 Release Candidate
(2894855)
Windows RT 8.1 PreviewMicrosoft .NET Framework 4.5.1
(2901550)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Microsoft .NET Framework 4.5.1 Release Candidate
(2895210)
Windows Server 2012 (Server Core installation)Microsoft .NET Framework 4.5.1 Release Candidate
(2894855)
Windows Server 2012 R2 Preview (Server Core installation)Microsoft .NET Framework 3.5
(2895209)
Windows Server 2012 R2 Preview (Server Core installation)Microsoft .NET Framework 4.5.1
(2901550)

Suggested Actions

  • Apply the update for affected releases of Microsoft .NET Framework

    This update is available from the Microsoft Download Center. For information on how to manually apply the update, see Microsoft Knowledge Base Article 2905247.

  • For administrators and enterprise installations with web-farm scenarios

    Microsoft recommends following the guidance available in Microsoft Knowledge Base Article 2915218.

Additional Suggested Actions
  • Protect your PC

    We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center.

  • Keep Microsoft Software Updated

    Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.

Update Information

Security Update Deployment

Affected Software

For information about the specific security update for your affected software, click the appropriate link:

Windows XP (all editions)

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service PacksThe update for this issue will be included in a future service pack or update rollup
Security update file namesFor Microsoft .NET Framework 2.0 Service Pack 2 when installed on Windows XP Service Pack 3:
NDP20SP2-KB2894843-x86.exe
For Microsoft .NET Framework 4 when installed on Windows XP Service Pack 3:
NDP40-KB2894842-x86.exe
Installation switchesSee Microsoft Knowledge Base Article 2844699
Update log fileFor Microsoft .NET Framework 2.0 Service Pack 2:
Microsoft .NET Framework 2.0-KB2894843_*-msi0.txt
Microsoft .NET Framework 2.0-KB2894843_*.html
For Microsoft .NET Framework 4:
KB2894842_*_*-Microsoft .NET Framework 4 Client Profile-MSP0.txt
KB2894842_*_*.html
Restart requirementIn some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.

To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.
Removal informationUse the Add or Remove Programs item in Control Panel.
File informationSee Microsoft Knowledge Base Article 2905247
Registry key verificationFor Microsoft .NET Framework 2.0 Service Pack 2:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 2.0 Service Pack 2\SP2\KB2894843
"ThisVersionInstalled" = "Y"
For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows XP:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842
"ThisVersionInstalled" = "Y"

Note The update for supported versions of Windows XP Professional x64 Edition also applies to supported versions of Windows Server 2003 x64 Edition.

Windows Server 2003 (all editions)

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service PacksThe update for this issue will be included in a future service pack or update rollup
Security update file namesFor Microsoft .NET Framework 1.1 Service Pack 1 when installed on all supported 32-bit editions of Windows Server 2003 SP2:
WindowsServer2003-KB2894845-x86-ENU.exe
For Microsoft .NET Framework 2.0 Service Pack 2 when installed on all supported 32-bit editions of Windows Server 2003:
NDP20SP2-KB2894843-x86.exe
For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Server 2003:
NDP40-KB2894842-x86.exe
For Microsoft .NET Framework 2.0 Service Pack 2 when installed on all supported x64-based editions of Windows Server 2003:
NDP20SP2-KB2894843-x64.exe
For Microsoft .NET Framework 4 when installed on all supported x64-based editions of Windows Server 2003:
NDP40-KB2894842-x64.exe
For Microsoft .NET Framework 2.0 Service Pack 2 when installed on all supported Itanium-based editions of Windows Server 2003:
NDP20SP2-KB2894843-IA64.exe
For Microsoft .NET Framework 4 when installed on all supported Itanium-based editions of Windows Server 2003:
NDP40-KB2894842-IA64.exe
Installation switchesSee Microsoft Knowledge Base Article 2844699
Update log fileFor Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2003 Service Pack 2:
KB2894845.log
For Microsoft .NET Framework 2.0 Service Pack 2:
Microsoft .NET Framework 2.0-KB2894843_*-msi0.txt
Microsoft .NET Framework 2.0-KB2894843_*.html
For Microsoft .NET Framework 4:
KB2894842_*_*-Microsoft .NET Framework 4 Client Profile-MSP0.txt
KB2894842_*_*.html
Restart requirementIn some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.

To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.
Removal informationUse the Add or Remove Programs item in Control Panel.
File informationSee Microsoft Knowledge Base Article 2905247
Registry key verificationFor Microsoft .NET Framework 1.1 Service Pack 1 on all supported 32-bit editions of Windows Server 2003:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP3\KB2894845\
For Microsoft .NET Framework 2.0 Service Pack 2:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 2.0 Service Pack 2\SP2\KB2894843
"ThisVersionInstalled" = "Y"
For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Server 2003:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842
"ThisVersionInstalled" = "Y"
For Microsoft .NET Framework 4 when installed on all supported x64-based editions and Itanium-based editions of Windows Server 2003:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842
"ThisVersionInstalled" = "Y"

Note The update for supported versions of Windows Server 2003 x64 Edition also applies to supported versions of Windows XP Professional x64 Edition (except for the update for Microsoft .NET Framework 1.1, which does not apply to Windows XP).

Windows Vista (all editions)

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service PacksThe update for this issue will be included in a future service pack or update rollup
Security update file namesFor Microsoft .NET Framework 1.1 Service Pack 1 on all supported 32-bit editions of Windows Server 2003 SP2:
WindowsServer2003-KB2894845-x86-ENU.exe
For Microsoft .NET Framework 2.0 Service Pack 2 on all supported 32-bit editions of Windows Vista:
Windows6.0-KB2894847-x86.msu
For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Vista:
NDP40-KB2894842-x86.exe
For Microsoft .NET Framework 4.5 when installed on all supported 32-bit editions of Windows Vista:
NDP45-KB2894849-x86.exe
For Microsoft .NET Framework 4.5.1 when installed on all supported 32-bit editions of Windows Vista:
NDP45-KB2894854-x86.exe
For Microsoft .NET Framework 2.0 Service Pack 2 on all supported x64-based editions of Windows Vista:
Windows6.0-KB2894847-x64.msu
For Microsoft .NET Framework 4 when installed on all supported x64-based editions of Windows Vista:
NDP40-KB2894842-x64.exe
For Microsoft .NET Framework 4.5 when installed on all supported x64-based editions of Windows Vista:
NDP45-KB2894849-x64.exe
For Microsoft .NET Framework 4.5.1 when installed on all supported x64-based editions of Windows Vista:
NDP45-KB2894854-x64.exe
Installation switchesSee Microsoft Knowledge Base Article 2844699
Update log fileFor Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2003 Service Pack 2:
KB2894845.log
For Microsoft .NET Framework 2.0 Service Pack 2:
Not applicable
For Microsoft .NET Framework 4:
KB2894842_*_*-Microsoft .NET Framework 4 Client Profile-MSP0.txt
KB2894842_*_*.html
For Microsoft .NET Framework 4.5:
KB2894849_*_*-Microsoft .NET Framework 4.5-MSP0.txt
KB2894849_*_*.html
For Microsoft .NET Framework 4.5.1:
KB2894854_*_*-Microsoft .NET Framework 4.5.1-MSP0.txt
KB2894854_*_*.html
Restart requirementThis update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.
Removal informationClick Control Panel, and then click Security. Under Windows Update, click View installed updates and select from the list of updates.
File informationSee Microsoft Knowledge Base Article 2905247
Registry key verificationFor Microsoft .NET Framework 1.1 Service Pack 1 on all supported 32-bit editions of Windows Server 2003:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP3\KB2894845\
For Microsoft .NET Framework 2.0 Service Pack 2:
Note A registry key does not exist to validate the presence of this update. Use WMI to detect for the presence of this update.
For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Vista:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842
"ThisVersionInstalled" = "Y"
For Microsoft .NET Framework 4 when installed on all supported x64-based and Itanium-based editions of Windows Vista:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842
"ThisVersionInstalled" = "Y"
For Microsoft .NET Framework 4.5:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4.5\KB2894849
"ThisVersionInstalled" = "Y"
For Microsoft .NET Framework 4.5.1:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4.5.1\KB2894854
"ThisVersionInstalled" = "Y"
Windows Server 2008 (all editions)

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service PacksThe update for this issue will be included in a future service pack or update rollup
Security update file namesFor Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2:
Windows6.0-KB2894847-x86.msu
For Microsoft .NET Framework 4 when installed on Windows Server 2008 for 32-bit Systems Service Pack 2:
NDP40-KB2894842-x86.exe
For Microsoft .NET Framework 4.5 when installed on Windows Server 2008 for 32-bit Systems Service Pack 2:
NDP45-KB2894849-x86.exe
For Microsoft .NET Framework 4.5.1 when installed on Windows Server 2008 for 32-bit Systems Service Pack 2:
NDP45-KB2894854-x86.exe
For Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2:
Windows6.0-KB2894847-x64.msu
For Microsoft .NET Framework 4 when installed on Windows Server 2008 for x64-based Systems Service Pack 2:
NDP40-KB2894842-x64.exe
For Microsoft .NET Framework 4.5 when installed on Windows Server 2008 for x64-based Systems Service Pack 2:
NDP45-KB2894849-x64.exe
For Microsoft .NET Framework 4.5.1 when installed on Windows Server 2008 for x64-based Systems Service Pack 2:
NDP45-KB2894854-x64.exe
For Microsoft .NET Framework 2.0 Service Pack 2 on all supported Itanium-based editions of Windows Server 2008:
Windows6.0-KB2894847-ia64.msu
For Microsoft .NET Framework 4 when installed on Windows Server 2008 for Itanium-based Systems Service Pack 2:
NDP40-KB2894842-IA64.exe
Installation switchesSee Microsoft Knowledge Base Article 2844699
Update log fileFor Microsoft .NET Framework 2.0 Service Pack 2:
Not applicable
For Microsoft .NET Framework 4:
KB2894842_*_*-Microsoft .NET Framework 4 Client Profile-MSP0.txt
KB2894842_*_*.html
For Microsoft .NET Framework 4.5:
KB2894849_*_*-Microsoft .NET Framework 4.5-MSP0.txt
KB2894849_*_*.html
For Microsoft .NET Framework 4.5.1:
KB2894854_*_*-Microsoft .NET Framework 4.5.1-MSP0.txt
KB2894854_*_*.html
Restart requirementThis update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.
Removal informationClick Control Panel, and then click Security. Under Windows Update, click View installed updates and select from the list of updates.
File informationSee Microsoft Knowledge Base Article 2905247
Registry key verificationFor Microsoft .NET Framework 2.0 Service Pack 2:
Note A registry key does not exist to validate the presence of this update. Use WMI to detect for the presence of this update.
For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Server 2008:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842
"ThisVersionInstalled" = "Y"
For Microsoft .NET Framework 4 when installed on all supported x64-based and Itanium-based editions of Windows Server 2008:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2894842
"ThisVersionInstalled" = "Y"
For Microsoft .NET Framework 4.5:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4.5\KB2894849
"ThisVersionInstalled" = "Y"
For Microsoft .NET Framework 4.5.1:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4.5.1\KB2894854
"ThisVersionInstalled" = "Y"
Windows 7 (all editions)

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service PacksThe update for this issue will be included in a future service pack or update rollup
Security update file nameFor Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems Service Pack 1:
Windows6.1-KB2894844-x86.msu
For Microsoft .NET Framework 4 when installed on Windows 7 for 32-bit Systems Service Pack 1:
NDP40-KB2894842-x86.exe
For Microsoft .NET Framework 4.5 when installed on Windows 7 for 32-bit Systems Service Pack 1:
NDP45-KB2894849-x86.exe
For Microsoft .NET Framework 4.5.1 when installed on Windows 7 for 32-bit Systems Service Pack 1:
NDP45-KB2894854-x86.exe
For Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems Service Pack 1:
Windows6.1-KB2894844-x64.msu
For Microsoft .NET Framework 4 when installed on Windows 7 for x64-based Systems Service Pack 1:
NDP40-KB2894842-x64.exe
For Microsoft .NET Framework 4.5 when installed on Windows 7 for x64-based Systems Service Pack 1:
NDP45-KB2894849-x64.exe
For Microsoft .NET Framework 4.5.1 when installed on Windows 7 for x64-based Systems Service Pack 1:
NDP45-KB2894854-x64.exe
Installation switchesSee Microsoft Knowledge Base Article 2844699
Update log fileFor Microsoft .NET Framework 3.5.1:
Not applicable
For Microsoft .NET Framework 4:
KB2894842_*_*-Microsoft .NET Framework 4 Client Profile-MSP0.txt
KB2894842_*_*.html
For Microsoft .NET Framework 4.5:
KB2894849_*_*-Microsoft .NET Framework 4.5-MSP0.txt
KB2894849_*_*.html
For Microsoft .NET Framework 4.5.1:
KB2894854_*_*-Microsoft .NET Framework 4.5.1-MSP0.txt
KB2894854_*_*.html
Restart requirementThis update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.
Removal informationClick Control Panel, click System and Security, and then under Windows Update, click View installed updates and select from the list of updates.

Original Source

Url : http://www.microsoft.com/technet/security/advisory/2905247.mspx

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2014-02-17 11:38:44
  • Multiple Updates
2013-12-11 05:17:55
  • First insertion