.NET Framework updates

[Jo-Anne]

Although still using WinXP, I've gotten an Automatic Updates notice to
download 11 .NET Framework security updates. My question: Are these
updates important enough that I should download them?

I had so much trouble in the past with .NET Framework updates that,
after the problems were fixed, I stuck with the earlier versions and
marked the updates as not to be shown again.

Thank you,

Jo-Anne

 

[Paul in Houston TX]

Although still using WinXP, I've gotten an Automatic Updates notice to
download 11 .NET Framework security updates. My question: Are these
updates important enough that I should download them?

I had so much trouble in the past with .NET Framework updates that,
after the problems were fixed, I stuck with the earlier versions and
marked the updates as not to be shown again.

Thank you,

Jo-Anne

Should you update? That is up to you.
I have not updated this XP3 machine since 2010.
I don't have any anti-virus scanners active.
Never get viruses on this machine since typically JS is off,
html email is off, flash off, etc.

The W7 machines actually use .NET4 and get updated weekly.
Everything needs to be turned on there, consequently they pick
up a virus every few months. It used to be a weekly virus until
the company dumped MS security for a different brand.

 

[Jo-Anne]

Should you update? That is up to you.
I have not updated this XP3 machine since 2010.
I don't have any anti-virus scanners active.
Never get viruses on this machine since typically JS is off,
html email is off, flash off, etc.

The W7 machines actually use .NET4 and get updated weekly.
Everything needs to be turned on there, consequently they pick
up a virus every few months. It used to be a weekly virus until
the company dumped MS security for a different brand.

Thank you, Paul. I'll hold off for now (and maybe forever).

Jo-Anne

 

[Hot-Text]

Although still using WinXP, I've gotten an Automatic Updates notice to
download 11 .NET Framework security updates. My question: Are these
updates important enough that I should download them?
YES

I had so much trouble in the past with .NET Framework updates that, after
the problems were fixed, I stuck with the earlier versions and marked the
updates as not to be shown again.

Thank you,

Jo-Anne

 

[Mayayana]

Although still using WinXP, I've gotten an Automatic Updates notice to

download 11 .NET Framework security updates. My question: Are these
updates important enough that I should download them?

YES

Why? Do you know what they are? If they're
security updates they should presumably be
relevant on software going online or .Net
installs enabled through IE. Personally I have
exactly one .Net program, because I can't avoid
it. That's my display settings applet. It's hard
to imagine how security patches for that could
matter.

 

[Hot-Text]

YES

Why? Do you know what they are? If they're
security updates they should presumably be
relevant on software going online or .Net
installs enabled through IE. Personally I have
exactly one .Net program, because I can't avoid
it. That's my display settings applet. It's hard
to imagine how security patches for that could
matter.

November 2014 .NET Security Updates
blogs.msdn.com · 11/11/2014

Microsoft Security Bulletin MS14-072 - Important,
Vulnerability in .NET Framework
Could Allow Elevation of Privilege (3005210)
This security update resolves a privately
reported vulnerability in Microsoft .NET…

<
http://blogs.msdn.com/b/dotnet/archive/2014/11/11/november-2014-net-security-updates.aspx >

This security update is rated Important for Microsoft .NET Framework 1.1
Service Pack 1,
Microsoft .NET Framework 2.0 Service Pack 2,
Microsoft .NET Framework 3.5,
Microsoft .NET Framework 3.5.1,
Microsoft .NET Framework 4,
Microsoft .NET Framework 4.5,
Microsoft .NET Framework 4.5.1,
and Microsoft .NET Framework 4.5.2
on affected releases of Microsoft Windows.

 

[Mayayana]

Microsoft Security Bulletin MS14-072 - Important,
Vulnerability in .NET Framework
Could Allow Elevation of Privilege (3005210)
This security update resolves a privately
reported vulnerability in Microsoft .NET…

<
http://blogs.msdn.com/b/dotnet/archive/2014/11/11/november-2014-net-security-updates.aspx >

"Only custom applications that have been specifically designed to use .NET
Remoting would expose a system to the vulnerability......NET Remoting is not
widely used by applications.....NET Remoting endpoints are not accessible to
anonymous clients by default."

One has to be running .Net software that has built-in
remote communication. What kind of nut would install such
software, unless they're on a workstation inside a safe
intranet? One would also have to have set the software to
allow access to anonymous external sources. Even running
Internet-connected .Net software is not wise, just as running
Internet-connected Java software and Flash greatly increase
one's vulnerability. Here we're talking about running .Net
Remoting configured to allow anonymous communications
through.

The bug sounds similar to the advertised critical Windows
bug that was recently reported: It's very serious. There's
currently no cure. It affects all systems, at least from
Server 2003 up. But if one reads the warning it turns out
that the risk is to machines that allow incoming requests.
Servers are at big risk. A Desktop PC that doesn't have
risky protocols like file sharing and remote Desktop is
not at risk. (A Desktop with those protocols enabled
is always at risk and should at least have a good firewall
to filter incoming requests.)

So, many of these bugs sound serious on the surface,
but they're not necessarily a big deal once the details
are clear.

 

[Hot-Text]

Microsoft Security Bulletin MS14-072 - Important,
Vulnerability in .NET Framework
Could Allow Elevation of Privilege (3005210)
This security update resolves a privately
reported vulnerability in Microsoft .NET…

<
http://blogs.msdn.com/b/dotnet/archive/2014/11/11/november-2014-net-security-updates.aspx >

"Only custom applications that have been specifically designed to use ..NET
Remoting would expose a system to the vulnerability......NET Remoting is
not
widely used by applications.....NET Remoting endpoints are not accessible
to
anonymous clients by default."

One has to be running .Net software that has built-in
remote communication. What kind of nut would install such
software, unless they're on a workstation inside a safe
intranet? One would also have to have set the software to
allow access to anonymous external sources. Even running
Internet-connected .Net software is not wise, just as running
Internet-connected Java software and Flash greatly increase
one's vulnerability. Here we're talking about running .Net
Remoting configured to allow anonymous communications
through.

The bug sounds similar to the advertised critical Windows
bug that was recently reported: It's very serious. There's
currently no cure. It affects all systems, at least from
Server 2003 up. But if one reads the warning it turns out
that the risk is to machines that allow incoming requests.
Servers are at big risk. A Desktop PC that doesn't have
risky protocols like file sharing and remote Desktop is
not at risk. (A Desktop with those protocols enabled
is always at risk and should at least have a good firewall
to filter incoming requests.)

So, many of these bugs sound serious on the surface,
but they're not necessarily a big deal once the details
are clear.

True if you do not use
Remote communication
As a Video Chat Room

Have you enjoy your free "Skype" today .NET Framework
Could Allow Elevation of Privilege used by your "Skype"