locked
Security Update for KB3037580 breaks our compilation and application operation RRS feed

  • Question

  • We develop .NET C# software that currently uses Silverlight for the web interface.

    On servers that have security patch MS15-041 installed we get the following error during software compilation:

    22>C:\Program Files (x86)\MSBuild\Microsoft\Silverlight\v5.0\Microsoft.Ria.Client.targets(303,5): error MSB4018: System.InvalidOperationException: There was a problem initializing the HttpRuntime. ---> System.DllNotFoundException: Unable to load DLL 'webengine4.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E)

    removing the update fixes the problem

    Similarly, running the software (compiled with the update removed), on another server that still has the update installed, results in an error loading dlls that rely on system.web. Removing the update allows the software to run as expected.

    We are investigating the issue internally, but wondered if anyone has experienced similar issues.

    Does anyone have any suggestions on where we should be looking for a resolution?

    Wednesday, April 22, 2015 1:42 PM

Answers

  • The issue turns out to be due to missing dlls in the Windows update from MS. The fix is to apply another (earlier) update that provides these dlls. The additional update relates to KB 2977766

    the issue can be tested by running aspnet_regiis on the server. This will fail if the dlls are missing

    • Marked as answer by Peter Wells UK Thursday, April 23, 2015 12:06 PM
    Thursday, April 23, 2015 12:06 PM

All replies

  • That particular vulnerability:

    "

    This security update resolves a vulnerability in Microsoft .NET Framework. The vulnerability could allow information disclosure if an attacker sends a specially crafted web request to an affected server that has custom error messages disabled.

    "

    Seems to be web servers.

    Is your build server a web server?

    If it is, could someone outside your company realistically get at it?

    I should think at least the latter is unlikely.

    Build servers are usually internal rather than public facing.



    Hope that helps.

    Technet articles: Uneventful MVVM; All my Technet Articles

    Wednesday, April 22, 2015 2:03 PM
  • The application is a web application. We have carried out additional research and have discovered that it is only the update that is applied to Windows 2012 (KB3037580). The update seems to assume .NET 4.5.1, whereas the native framework on 2012 is 4.5. After applying the update, webengine4.dll is unable to load as it is missing msvcr120_clr0400.dll, which does not exist on the machine. It does work on Windows 2012 R2 as the required dll exists in System32.

    A work-around may be to install 4.5.1, but this seems to be the wrong way to resolve the issue

    • Proposed as answer by olwin Tuesday, December 22, 2015 9:37 AM
    Wednesday, April 22, 2015 2:44 PM
  • Hi Peter,
    >>The update seems to assume .NET 4.5.1, whereas the native framework on 2012 is 4.5.
    This update applies to Microsoft .NET 4.5 when used with Windows Server 2012. You can find it at : #https://support.microsoft.com/en-us/kb/3037580 .
    I think the reason with this problem is the World Wide Web Publishing Service started failed. Maybe the update changes the World Wide Web Publishing Service from auto to manual. So I suggest you to find the World Wide Web Publishing Service in Computer Management -> Services and Applications -> Services, and reset the service to auto-start, then reboot it.
    If it doesn’t  work, please feel free to let me know.

    Best Regards,
    Vegetable Wendy


    Thursday, April 23, 2015 10:25 AM
  • The issue turns out to be due to missing dlls in the Windows update from MS. The fix is to apply another (earlier) update that provides these dlls. The additional update relates to KB 2977766

    the issue can be tested by running aspnet_regiis on the server. This will fail if the dlls are missing

    • Marked as answer by Peter Wells UK Thursday, April 23, 2015 12:06 PM
    Thursday, April 23, 2015 12:06 PM
  • Why did you mark your answer as the answer? We had https://support.microsoft.com/en-us/kb/3037580 and KB2977766 both installed and the problem still existed. After removing 3037580 the problem went away.

    The fix is not to install an older KB. The fix is to fix https://support.microsoft.com/en-us/kb/3037580 this update or not apply 3037580 to any Windows Server 2012 standard versions.


    Chris


    Monday, April 27, 2015 1:18 PM
  • Microsoft Security Bulletin https://technet.microsoft.com/library/security/ms15-041 re-released to address issues with the 3037580 update for Microsoft .NET Framework 4.5/4.5.1/4.5.2 on affected editions of Microsoft Windows. This addresses the issue reported on this post. Customers running on Windows 8, Windows 8 RT, and Windows Server 2012 are encouraged to install the new version of the 3037580 update to be protected from the vulnerability discussed in this bulletin. See Microsoft Knowledge Base Article 3037580 for more information.
    Tuesday, May 12, 2015 11:36 PM