Microsoft KB Archive/931212

= MS07-040: Vulnerabilities in the .NET Framework could allow remote code execution =

Article ID: 931212

Article Last Modified on 11/30/2007

-

APPLIES TO


 * Customer Service and Support Information

-



INTRODUCTION
Microsoft has released security bulletin MS07-040. This security bulletin contains all the relevant information about the corresponding security update. This information includes file manifest information and deployment options. To view the complete security bulletin, visit one of the following Microsoft Web sites:  Home users:

http://www.microsoft.com/protect/computer/updates/bulletins/200707.mspx

Skip the details: Download the updates for your home computer or laptop from the Microsoft Update Web site now:

http://update.microsoft.com/microsoftupdate/

 IT professionals:

http://www.microsoft.com/technet/security/bulletin/MS07-040.mspx





Known issues with this security update
The following table lists the known issues with this security update. If you have problems with this security update that are not addressed by these known issues, no-charge support is available for consumers by calling 1-866-PCSAFETY in the United States and Canada or by contacting your local Microsoft subsidiary. For more information about how to contact your local Microsoft subsidiary for security update support issues, visit the International Support Web site:

http://support.microsoft.com/common/international.aspx

Enterprise customers can obtain support for security updates through their usual support contacts.

To use the table, look in the top two rows of the table. Locate the column of the appropriate Microsoft Knowledge Base article number for the update that corresponds to the .NET Framework version that you are using. The rows that contain an &quot;X&quot; correspond to a Knowledge Base article that describes a known issue for the .NET Framework version that you are using. Click the article numbers in the left column to view the article.

Microsoft Knowledge Base articles that describe the known issues with this security update
For more information about the known issues that are referenced in this table, click the following article numbers to view the articles in the Microsoft Knowledge Base:

923100 When you try to install an update for the .NET Framework 1.0, 1.1, or 2.0, you may receive Windows Update error code &quot;0x643&quot; or Windows Installer error code &quot;1603&quot;

923101 Error message when you try to install a security update for the .NET Framework 2.0 on a computer that is running Windows Server 2003 x64 Edition: &quot;Error 1324. The folder 'Program Files' contains an invalid character&quot;

931846 You may be unable to execute SQL Server 2005 Integration Services packages that contain script tasks or script components

934711 Error message when you restart the computer after you uninstall a security update for the .NET Framework 1.1: &quot;This application has requested the Runtime to terminate in an unusual way&quot;

934712 Warning message when you try to install a .NET Framework 1.0 Service Pack 3 or .NET Framework 1.1 Service Pack 1 security update on a Windows Vista-based computer: &quot;An unidentified program wants to access your computer&quot;

934793 Description of the SharePoint Server 2007 hotfix package: April 12, 2007

936597 The application or control does not run when you try to run .NET Framework 1.0 HREF tags to point to a managed executable application or to a control

939160 The file version is rolled back to the version that was installed by the last service pack when you remove some security updates for the .NET Framework 1.1 or for the .NET Framework 1.0

939949 Error message when you run an application or try to access a Web site on a computer that has a particular .NET Framework 2.0 software update installed: &quot;Culture name 'Culture' is not supported&quot;

940332 Error message when you install an update for the .NET Framework 1.1 or for the .NET Framework 1.0: &quot;The upgrade patch cannot be installed by the Windows Installer service&quot;

940521 The behavior of the UTF8Encoding class, the UnicodeEncoding class, and the UTF32Encoding class changes after you install the security update for the .NET Framework 2.0 that is described in security bulletin MS07-040

940947 Error message after you install security update 931212 (MS07-040) in Windows 2000 with Service Pack 4: &quot;Error 127: the specified procedure could not be found&quot;

934229 The &quot;Add Link to Site&quot; page stops responding, and the link is not added when you try to add a new link to the Site Directory in a SharePoint Portal Server 2003 site

941789 You receive error messages after you install security update 931212 (MS07-040) on a Windows SharePoint Services 3.0 Web front-end server or on a SharePoint Server 2007 Web front-end server

941386 FIX: Error message when you run an ASP.NET 2.0 Web application that is built on the .NET Framework 2.0 after you install the MS07-040 security update: &quot;Type 'System.Web.HttpHeaderCollection' is not marked as serializable&quot;

942086 FIX: Error message when you run an ASP.NET 2.0 Web application that is built on the .NET Framework 2.0: &quot;The constructor to deserialize an object of type ' ' was not found&quot;

943804 FIX: Certain Unicode characters returned by the Application.ExecutablePath property in the .NET Framework 2.0 are displayed as &quot;?&quot;

Microsoft Knowledge Base articles that describe the individual packages for this security update
For more information about the individual packages for this security update, click the following article numbers to view the articles in the Microsoft Knowledge Base:

930494 Description of the security update for the .NET Framework 1.0 Service Pack 3 for Windows XP Media Center and Windows XP Tablet PC: July 10, 2007

928367 Description of the security update for the .NET Framework 1.0 Service Pack 3 for Windows Vista, Windows Server 2003, Windows XP, and Windows 2000: July 10, 2007

933854 Description of the security update for the .NET Framework 1.1 Service Pack 1 for Windows Server 2003: July 10, 2007

928366 Description of the security update for the .NET Framework 1.1 Service Pack 1 for Windows XP and Windows 2000: July 10, 2007

929729 Description of the security update for the .NET Framework 1.1 Service Pack 1 for Windows Vista: July 10, 2007

929916 Description of the security update for the .NET Framework 2.0 for Windows Vista: July 10, 2007

928365 Description of the security update for the .NET Framework 2.0 for Windows Server 2003, Windows XP, and Windows 2000: July 10, 2007

Additional information about this security update
After you install this security update, the behavior of UTF8Encoding, UnicodeEncoding, and UTF32Encoding change to comply to the Unicode 5.0 requirements for Unicode encodings. Unauthorized and invalid bytes are not removed. Instead, they are replaced by the Unicode character U+FFFD, the Unicode replacement character.

For more information about this behavior, click the following article number to view the article in the Microsoft Knowledge Base:

940521 The behavior of the UTF8Encoding class, the UnicodeEncoding class, and the UTF32Encoding class changes after you install the security update for the .NET Framework 2.0 that is described in security bulletin MS07-040

Affected software
This article applies to the following versions of the Microsoft .NET Framework when used with the corresponding Microsoft operating systems:
 * The .NET Framework 1.0 Service Pack 3 when used with:
 * Windows 2000 Service Pack 4
 * Windows XP Service Pack 2
 * Windows XP Professional x64 Edition
 * Windows XP Professional x64 Edition Service Pack 2
 * Windows XP Tablet PC Edition 2005
 * Windows XP Media Center Edition 2005
 * Windows Server 2003 Service Pack 1
 * Windows Server 2003 Service Pack 2
 * Windows Server 2003 for Itanium-based Systems when used with:
 * Windows Server 2003 Service Pack 1
 * Windows Server 2003 Service Pack 2
 * Windows Server 2003 x64 Edition
 * Windows Server 2003 x64 Edition Service Pack 2
 * Windows Vista
 * The .NET Framework 1.1 Service Pack 1 when used with:
 * Windows 2000 Service Pack 4
 * Windows XP Service Pack 2
 * Windows XP Professional x64 Edition
 * Windows XP Professional x64 Edition Service Pack 2
 * Windows Server 2003 Service Pack 1
 * Windows Server 2003 Service Pack 2
 * Windows Server 2003 for Itanium-based Systems when used with:
 * Windows Server 2003 Service Pack 1
 * Windows Server 2003 Service Pack 2
 * Windows Server 2003 x64 Edition
 * Windows Server 2003 x64 Edition Service Pack 2
 * Windows Vista
 * Windows Vista x64 Edition
 * The .NET Framework 2.0 when used with:
 * Windows 2000 Service Pack 4
 * Windows XP Service Pack 2
 * Windows XP Professional x64 Edition
 * Windows XP Professional x64 Edition Service Pack 2
 * Windows Server 2003 Service Pack 1
 * Windows Server 2003 Service Pack 2
 * Windows Server 2003 for Itanium-based Systems when used with:
 * Windows Server 2003 Service Pack 1
 * Windows Server 2003 Service Pack 2
 * Windows Server 2003 x64 Edition
 * Windows Server 2003 x64 Edition Service Pack 2
 * Windows Vista
 * Windows Vista x64 Edition

Additional query words: update security_patch security_update security bug flaw vulnerability malicious attacker exploit registry unauthenticated buffer overrun overflow specially-formed scope specially-crafted denial of service DoS TSE WinNT Win2000

Keywords: kbresolve kbpubtypekc kbfix kbbug kbsecvulnerability kbsecbulletin kbsecurity kbqfe kbexpertisebeginner KB931212

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.