Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Critical security flaw discovered in the just-released .NET 4.6 software

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

July 28, 2015

Click here to order the best deal on a HP enterprise dedicated server and at a great price.

A nasty security hole in part of the optimizer in the just-released Microsoft .NET 4.6 runtime software could break and crash production applications, we've been warned.

"The methods you call can get different parameter values that you passed in," says Nick Craver, software developer and system administrator for Stack Exchange.

At first, the security flaw was rather difficult to detect since it only occurs when optimizations are enabled.

This simply means that you can build an application, run it in Visual Studio, and everything is fine. It is only when you compile a production build that the problem occurs.

Craver says that attaching a debugger changes the behavior and usually hides the problem.

It was noticed at Stack Overflow because its heavily exercised HTTP caching code was not working with the new runtime, delivering unpredictable results, he added.

The security issue has been documented on GitHub as "Tail Call Bug in Ryu-JIT – incorrect parameters passed," complete with the code that reproduces the problem.

"When the parameters you're passing aren't the ones the method is getting, all sanity goes out the window. What if your method says how much stock to buy? What if it gives dosing information to a patient? What if it tells a plane at what altitude to climb to or to fall to what level?" reads the report.

The problem appears to be in the new JIT compiler called Ryu-JIT. When optimization is enabled, the last method in the call stack can get a random value passed to it in some cases.

"The security team is taking this very seriously. We're going to talk about it later today as people get into the office," said Microsoft .NET Program Manager Rich Lander.

Since the bug is in the JIT compiler, the workaround is not to install .NET 4.6 at all for now.

If you install it, even applications targeting earlier versions of .NET may be critically impacted, since the same compiler is used.

A version of .NET 4.6 ships with Windows 10. Craver claimed that Microsoft has "fixed the security flaw internally, but not for users," in which case, if the bug is as severe as it appears, you can expect a patch to appear soon.

Source: Microsoft.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer