Windows 10: Microsoft Security Advisory 4010983

Brink · Jan 26, 2017

Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of Service

Executive Summary

Microsoft is releasing this security advisory to provide information about a vulnerability in the public versions of ASP.NET Core MVC 1.1.0. This advisory also provides guidance on what developers can do to update their applications correctly.

Microsoft is aware of a security vulnerability in the public version of ASP.NET Core MVC 1.1.0 where a malformed HTTP request could lead to a denial of service.

ASP.NET Core is next generation of ASP.NET that provides a familiar and modern framework for web and cloud scenarios, running on top of .NET Core. These products are actively developed by the ASP.NET team in collaboration with a community of open source developers, running on Windows, Mac OS X and Linux. When ASP.NET Core was released, the version number was reset to 1.0.0 to reflect the fact that it is a separate product from its predecessor - ASP.NET.

Developers are advised to update all apps to use package version 1.1.1 or greater.

Mitigating Factors

Only applications targeting ASP.NET Core 1.1.0 are affected. Applications targeting ASP.NET Core 1.0.0, 1.0.1 or 1.02 are not affected.

Affected Software

The vulnerability affects any Microsoft ASP.NET Core project if it uses the following affected package version.

Affected package and version Package name Package version Microsoft.AspNetCore.Mvc.Core 1.1.0
Advisory FAQ

How do I know if I am affected?

ASP.NET Core has two different types of dependencies, direct and transitive. If your project has a direct or transitive dependency on Microsoft.AspNetCore.Mvc.Core version 1.1.0 you are affected.

.NET Core Project formats

.NET Core has two different project file formats, depending on what software created the project.

project.json is the original format, included in .NET Core 1.0 and Visual Studio 2015.

csproj is the format used in Visual Studio 2017.

You must ensure you follow the correct update instructions for your project type.

Direct Dependencies

Direct dependencies are dependencies where you specifically add a package to your project. For example, if you add the Microsoft.AspNetCore.Mvc package to your project then you have taken a direct dependency on Microsoft.AspNetCore.Mvc.

Direct dependencies are discoverable by reviewing your project.json or csproj file.

Transitive Dependencies

Transitive dependencies occur when you add a package to your project that in turn relies on another package. For example, if you add the Microsoft.AspNetCore.Mvc package to your project it depends on the Microsoft.AspNetCore.Mvc.Core package (amongst others). Your project has a direct dependency on Microsoft.AspNetCore.Mvc and a transitive dependency on the Microsoft.AspNetCore.Mvc.Core package.

Transitive dependencies are reviewable in the Visual Studio Solution Explorer window, which supports searching, or by reviewing the project.lock.json file contained in the root directory of your project for project.json projects or the project.assets.json file contained in the obj directory of your project for csproj projects. These files are the authoritative list of all packages used by your project, containing both direct and transitive dependencies.

Any ASP.NET Core MVC 1.1 application will have a dependency on the affected package, either direct or transitive.

How do I fix my affected app?

You will need to fix both direct dependencies and review and fix any transitive dependencies. Version 1.1.1 of the vulnerable package contains the fixes required to secure your app...
Click to expand...

Read more: Microsoft Security Advisory 4010983

:)

John_L. · Jan 26, 2017

Microsoft Security Advisory (2524375) - Fraudulent Digital Certificates Could Allow Spoofing

Microsoft Security Advisory (2524375) - Fraudulent Digital Certificates Could Allow Spoofing

An update to help address the fraudulent digital certificates issue is now available for Windows Mobile 6.x devices from the Microsoft Download Center -
Download the Update for Windows Mobile 6.x (KB2524375) package now.

To view the security advisory related to this issue, see Microsoft Security Advisory (2524375).

Bobby Lansing · Jan 26, 2017

KB3119147 update slowsed IE -11 to a crawl with windows 10

That is absolutely incorrect. As stated by the KB article:

https://support.microsoft.com/en-us/kb/3119147

"Microsoft has released a security advisory for IT professionals about vulnerabilities in Adobe Flash Player in the following web browsers:

Internet Explorer in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows 10 version 1511

Microsoft Edge in Windows 10 and Windows 10 version 1511

To learn more about the vulnerability, see Microsoft security advisory 2755801.Microsoft has released a security
advisory for IT professionals about vulnerabilities in Adobe Flash Player in the following web browsers:

Internet Explorer in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows 10 version 1511

Microsoft Edge in Windows 10 and Windows 10 version 1511

To learn more about the vulnerability, see Microsoft security advisory 2755801."

It or another simultaneous update has completely ruined IE11.

Windows 10: Microsoft Security Advisory 4010983

Microsoft Security Advisory 4010983

Microsoft Security Advisory 4010983

Microsoft Security Advisory 4010983 - Similar Threads - Microsoft Security Advisory

Security Advisory ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP...

Intel NUC Firmware Security Advisory - Jan. 8

WIndows Update Assistant/ Microsoft Security Advisory Notifications email v1809 Windows10

Microsoft Security Advisory for self-encrypting drives

Intel Server Boards Firmware Advisory for security vulnerability

Intel NUC Firmware Security Advisory

Adobe Security Advisory

Microsoft security advisory: Update for vulnerabilities in Adobe Flash

Microsoft Security Advisory 4053440