KB929916

UpdatesDescription: A security issue has been identified that could allow an attacker to compromise your Windows-based system running the Microsoft .NET Framework and gain access to restricted data. You can help protect your computer by installing this update from Microsoft.

Update type: Important

Release date: July 10, 2007

Applies to: All versions

Knowledge base: http://support.microsoft.com/kb/929916

Download link: 32-bit | 64-bit

Comments: Though not specifically for the core of Vista, all Vista releases include IE7, so it is relevant. This update resolves three privately reported vulnerabilities. Two of these vulnerabilities could allow remote code execution on client systems with .NET Framework installed, and one could allow information disclosure on Web servers running ASP.NET. In all remote code execution cases, users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update addresses two vulnerabilities by modifying the way .NET Framework addresses buffer allocation. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information. Details also available in security bulletin MS07-040.

KB929916

3 Replies to “KB929916”

  1. This update refuses to install on my WinXP Pro system, dying with an error code 0x64c when I try to install it with Microsoft Update.

    If I download the file from Microsoft Downloads directly and try to run it, it dies with “Unable to locate source code”. Discussions at the MS Windows Update forum seem to indicate some success with completely removing .NET 2.0 and reinstalling it, but it’s not worth the trouble for me. I’ll wait for MS to issue a patched patch.

    What I find upsetting about this group of flawed patches this month is that the Vista/Server 2008 beta testers were asked last month to try out 4 proposed updates to Vista, all of which have now been released, and there were no problems with any of them (the released versions were identical to the tested versions).

    The 3 problem patches this month were not among the tested patches.

  2. Looks like there is a 1.1 update:
    V1.1 (July 12, 2007): Bulletin updated: Corrected Windows Vista severity rating in the “Affected Software� table to Important. Corrected several instances in the file manifest tables incorrectly referencing a version of Mscordacwks.dll that is not installed on the system. Added an additional FAQ explaining why customers installing .NET Framework 3.0 should update .NET Framework 2.0 on their system. Added an additional FAQ for ASP.NET Web application developers.

    Grab the update from the same links above and hopefully this time it will work for you!

Leave a Reply