Related topics
×
Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Release Date:
August 11, 2020

Version:
.NET Framework 3.5 and 4.8

Summary

An elevation of privilege vulnerability exists when ASP.NET or .NET Framework web applications running on IIS improperly allow access to cached files. An attacker who successfully exploited this vulnerability could gain access to restricted files. To exploit this vulnerability, an attacker would need to send a specially crafted request to an affected server. The update addresses the vulnerability by changing how ASP.NET and .NET Framework handle requests.

To learn more about the vulnerabilities, go to the following Common Vulnerabilities and Exposures (CVE).

A remote code execution vulnerability exists when Microsoft .NET Framework processes input. An attacker who successfully exploited this vulnerability could take control of an affected system. To exploit the vulnerability, an attacker would need to be able to upload a specially crafted file to a web application. The security update addresses the vulnerability by correcting how .NET Framework processes input.

For more information go to: https://go.microsoft.com/fwlink/?linkid=2138023

To learn more about the vulnerabilities, go to the following Common Vulnerabilities and Exposures (CVE).

Known issues in this update

Windows Presentation Framework (WPF) applications that use two or more HostVisual elements belonging to a common thread, where both HostVisual elements are asked to disconnect from their visual target at roughly the same time, mail fail with the following error:

Exception type:  System.COMException
Message:  UCEERR_RENDERTHREADFAILURE (HRESULT 0x88980406)
Callstack:  top frame is System.Windows.Media.Composition.DUCE+Channel.SyncFlush()

Workarounds

You can disable the problematic fix by setting the AppContext switch “Switch.System.Windows.Media.HostVisual.DisconnectsOnWrongThread” to true, using one of the methods described here.  This exposes your app to the original bug, so you should remove the switch once a fix is published through an upcoming update.

Workaround 1


•    Add the following entry to the app.config file to disable the problematic fix in a single application.


<runtime>
    <AppContextSwitchOverrides value="Switch.System.Windows.Media.HostVisual.DisconnectsOnWrongThread=true"/>
</runtime>

Note that if your application configuration already has an entry for <AppContextSwitchOverrides>, you need to add the new setting within that entry, separated from other switches by a semicolon:

   <AppContextSwitchOverrides value="Switch.SomeOtherSwitch=true; Switch.System.Windows.Media.HostVisual.DisconnectsOnWrongThread=true"/>

Workaround 2


•    Apply the following registry subkey to disable the problematic fix for all WPF applications on the machine.
 Warning
Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft can't guarantee that these problems can be solved. Modify the registry at your own risk.


Location: HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\AppContext\
Name: Switch.System.Media.HostVisual.DisconnectsOnWrongThread
Type: String
Value: true

Note that on 64-bit operating systems, you also need to apply a registry subkey with the same name, type, and value at the location:   HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\.NETFramework\AppContext\

Resolution

We are working on a resolution and will provide an update in an upcoming release.
 

 

How to get this update

Install this update

Release Channel

Available

Next Step

Windows Update and Microsoft Update

Yes

None. This update will be downloaded and installed automatically from Windows Update.

Microsoft Update Catalog

Yes

To get the standalone package for this update, go to the Microsoft Update Catalog website.

Windows Server Update Services (WSUS)

Yes

This update will automatically sync with WSUS if you configure Products and Classifications as follows:

Product:Windows 10 Version 2004

Classification: Security Updates

File information

For a list of the files that are provided in this update, download the file information for cumulative update.

Information about protection and security

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×