Each month the Readiness team analyses updates and patches from Microsoft for Patch Tuesday. We have a regular blog posting found on Computerworld and our latest article detailed the June Patch Tuesday release. This article covers updates to the Windows, Microsoft Office, and development platforms such as Visual Studio and the .NET framework. With each of these platforms, we offer testing and deployment guidance. For example, with several zero-day exploits for Windows in May, we suggest an urgent “Patch Now” deployment recommendation while last month was a little calmer with an “Add to your standard release schedule”.
Unusually for Microsoft, there was an out-of-bounds update just a few days after June’s Patch Tuesday to the Microsoft .NET platform.
Almost immediately after the release of this month’s (June) update to Microsoft .NET, we began to see reports of issues with installing the update and its impact on the target system, as quoted on Reddit:
“Only unusual thing that I noticed which others might have experienced is the long ‘cleaning up’ process post-update/pre-login on the reboot. That happens if you reboot for the cumulative update and the NET update at the same time.”
Things got a little more serious as documented by Microsoft with the following symptoms of the recent .NET update:
- When using the X509Certificate, X509Certificate2, or X509Certificate2Collection class to import a PKCS#12 blob containing a private key, the calling application may observe the below exception.
- System.Security.Cryptography.CryptographicException: PKCS12 (PFX) without a supplied password has exceeded maximum allowed iterations.
- This failure affects PKCS#12 blobs which have been exported [e.g., via X509Certificate.Export(X509ContentType.Pfx)] without a password. The failure may occur non-deterministically.
As we posted on Computerworld, “at first glance, our team thought this would be a big update with a large testing profile.” We still recommended a full testing profile with a standard release schedule as there was not a compelling event for a quick release. That said, there are issues with this month’s .NET Patch Tuesday update and there is now a revised OOB patch (as of June 22nd) with KB5025823.
In addition, Microsoft has offered the following mitigations (registry delete commands) if you are experiencing issues with your X509 certificates.
reg delete "HKLM\Software\Microsoft\.NETFramework" /v Pkcs12UnspecifiedPasswordIterationLimit /reg:32 reg delete "HKLM\Software\Microsoft\.NETFramework" /v Pkcs12UnspecifiedPasswordIterationLimit /reg:64
We have checked the release notes from this latest, revised update and these changes (and mitigations) apply to all support versions of Microsoft .NET and Windows desktop platforms. In addition, Microsoft has confirmed that this latest update is official and has been confirmed to resolve the reported x509 certificate issues.