-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Advisory on July 2018 .NET Framework Updates #811
Comments
So the two workarounds for BizTalk (Uninstall the patch, or the NETWORK SERVICE one) both are described as "Warning: The following workarounds may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend these workarounds but are providing this information so that you can implement the workarounds at your own discretion. Use these workarounds at your own risk." So what is recommended for BizTalk? |
@Dijkgraaf You are right. We are actively investigating this issue and don't have a better option to offer. We completely understand if the workaround we gave isn't acceptable to you. |
Hello. I have server with OS windows server 2012 r2 and iis version 8.5.9600.16384. After update system I got error: When I uninstalled KB4338419, website start work fine. |
I thought I would add the error message I'm receiving related to this issue, since I have not found this exact error message mentioned anywhere and thought it might help someone else searching on this error. This error occurred in classic asp calling a .NET interop COM object: |
A new .NET Framework July 2018 Update has been released that resolves this advisory. We recommend that you install this update on your systems if you experienced the symptoms described in this advisory. If you did not experience these symptoms, we recommend you wait to update your machines until the next regular update. |
@richlander This update fixes the problem for us on 2012 R2, but not on 2008 R2. On 2008 R2 the KB4338420 update installed mscoreei.dll 4.7.3130.0 which includes the problematic "OpenProcessToken()" call, and the KB4346407 update doesn't touch mscoreei.dll, so we still have the problem. Updated 1st Aug: Note that the problems on 2008 R2 are when we install the new update over the top of the original update. |
This update did not resolve the issue on Windows 7 either. |
This update solved my problem on production server, but local windows 10 I can't install update windows10.0-kb4346877-x64.
|
Thanks for these reports. Please keep them coming. We are actively investigating. |
Thanks for the report @StephenY-Titian. What scenario was broken that led you to discover that mscoreei.dll still contained the bad OpenProcessToken call? To @StephenY-Titian and anyone else, feel free to email me directly at rlander@microsoft.com |
@richlander Our scenario is with Classic ASP web pages with Windows Integrated Authentication. I've emailed you more details. |
Thanks for sending that. The information your shared was super useful. |
|
Thanks @richlander and team - the updated guidance solves the problem in our scenario on Server 2008 R2. |
Hi, I wanted to share the following with you: I am also facing an issue in a Windows Server 2008 R2 SP1 environment. (Classic ASP / Integrated Windows Authentication / COM-components) as a result of installing the defective .NET July 2018 updates, and finding that the July 30th 2018 fixes do not resolve the issue (like it did in another Windows Server 2012 environment - see Additional Comment below). Then, I simply decided to roll back ALL the Windows Updates that had been installed since the moment that everything was still working fine, hoping that at least we would be back to the situation where everything in IIS/ASP still worked. So, that brought us into a bit of a 'no way forward, no way back' situation here. Additional comment: Situation for now:
I'll keep monitoring this thread and will update you when I find something new on my end. |
Hi Rich, please note that if this specific environment can be interesting 'test material' for Microsoft in getting to the bottom of this issue in W2K8 R2, please let me know. I realize that one always first has to be able to reproduce the issue, before one can analyze and eventually resolve it. I would be happy to analyze this further and try new fixes as they come available. Hopefully the future solution will benefit others that are facing similar problems. |
I am sorry to here that @mroset ... please feel free to email me directly @ rlander@microsoft.com |
Hi Rich, With your and Tara's excellent help (thanks !) the Guidance Section proved successfull for us as well. See below followed steps for anyone facing similar issues. =================== I took the following actions, initially only on the TEST server (W2K8 R2 SP1 x64):
FINDINGS / RESULT:
(Note: Make sure NOT to install KB4340556 from Windows Update, since that would reintroduce the problem. Instead, wait for the structural solutions from Microsoft in the next Roll Up update) |
|
Advisory on July 2018 .NET Framework Updates
Updated: 08/14/2018
A new .NET Framework July 2018 Update has been released that resolves this advisory. See Guidance section.Guidance has changed for Windows 7, Windows Server 2008 and Windows Server 2008 R2. See Guidance section.The July 2018 Security and Quality Rollup updates for .NET Framework was released earlier this month. We have received multiple customer reports of applications that fail to start or don't run correctly after installing the July 2018 update. These reports are specific to applications that initialize a COM component and run with restricted permissions.
We have stopped distributing the .NET Framework July 2018 updates on Windows Update and are actively working on fixing and re-shipping this month's updates. If you installed the July 2018 update and have not yet seen any negative behavior, we recommend that you leave your systems as-is but closely monitor them and ensure that you apply upcoming .NET Framework updates.
As a team, we regret that this release was shipped with this flaw. This release was tested using our regular and extensive testing process. We discovered while investigating this issue that we have a test hole for the specific combination of COM activation and restricted permissions, including impersonation. We will be mitigating that gap going forward. Again, we are sorry for any inconvenience that this product flaw has caused.
We will continue to update this issue and post as we have new information.
Guidance
We strongly recommend that you install .NET Framework August 2018 Update.
We recommend that you install .NET Framework July 2018 Update on your systems if you experienced the symptoms described in this advisory. If you did not experience these symptoms, we recommend you wait to update your machines until the next regular update, in August.On Windows 7, Windows Server 2008, and Windows Server 2008 R2, we have found that the combination of July 2018 Security and Quality Rollup updates for .NET Framework and .NET Framework July 2018 Update do not resolve all symptoms. On these Windows versions, if you are experiencing these symptoms after installing this combination of patches, we recommend that you uninstall (only) the Monthly Rollup patch and then install the appropriate Security Only patch listed at July 2018 Security and Quality Rollup updates for .NET Framework.Technical Context
The .NET Framework runtime uses the process token to determine whether the process is being run within an elevated context. These system calls can fail if the required process inspection permissions are not present. This causes an “access denied" error.
Symptoms
A COM component fails to load because of “access denied,” “class not registered,” or “internal failure occurred for unknown reasons” errors.
The most commonly reported failure results in the following error message:
Sharepoint
When users browse to a SharePoint site they may see the following HTTP 403 message:
"The Web Site declined to show this webpage"
The SharePoint ULS Logs will contain a message like the following:
When crawling a people content source, the request may fail with the following entry logged to the SharePoint ULS Log:
BizTalk Server Administration Console
BizTalk Server Administration Console fails to launch properly with the following errors:
Use the following guidance as a workaround:
IIS with Classic ASP
IIS Hosted Classic ASP calling CreateObject for .NET COM objects may receive the following error: "ActiveX component can't create object". Use the following guidance as a workaround.
.NET applications using COM and impersonation
.NET Applications that creates instances of .NET COM application within an Impersonation Context may receive the following error: "0x80040154 (REGDB_E_CLASSNOTREG)". Use the following guidance as a workaround.
The text was updated successfully, but these errors were encountered: