Applies To.NET

Release Date:February 9, 2021

Version:.NET Framework 4.8

Summary

Security Improvements

This security update addresses a denial of service vulnerability in .NET Framework. For more information please see CVE-2021-24111.

Quality Improvements

ASP.NET

- Addresses an issue where after installing the update released on October 20th, some ASP.Net applications fail during precompilation – likely with a message that contains the words “Error ASPCONFIG.”

WPF1

- Addresses a hang when scrolling to the end of a TreeView, when layout rounding is enabled and DPI scaling is not 100%.

CLR

- Improves the reliability of automatic Native Image generation task.

1 Windows Presentation Foundation (WPF)

Known issues in this update

Symptom

After installing this update, WPF apps may crash with a callstack similar to

Exception Info: System.NullReferenceException at System.Windows.Interop.HwndMouseInputProvider.HasCustomChrome(System.Windows.Interop.HwndSource, RECT ByRef) at System.Windows.Interop.HwndMouseInputProvider.GetEffectiveClientRect(IntPtr)
at System.Windows.Interop.HwndMouseInputProvider.PossiblyDeactivate(IntPtr, Boolean)
at System.Windows.Interop.HwndMouseInputProvider.Dispose()

This occurs when disposing an HwndSource whose RootVisual is null, a situation that arises in Visual Studio when docking or splitting windows, and could arise in other apps.

Workaround

To work around this problem, set two AppContext switches using one of the methods described in AppContext Class (System) under the heading “AppContext for library consumers”.  The switches are named Switch.System.Windows.Interop.MouseInput.OptOutOfMoveToChromedWindowFix and Switch.System.Windows.Interop.MouseInput.DoNotOptOutOfMoveToChromedWindowFix and both should be set to “true”.   The first switch avoids the crash, but re-introduces the bug fixed in the KBs.  The second switch is currently ignored, but will be recognized in a future .NET update that contains a fix for the null-reference crash;  it restores the original bug fix.

For example, using the app.config file method to apply the workaround at application scope:

<AppContextSwitchOverrides value="Switch.System.Windows.Interop.MouseInput.OptOutOfMoveToChromedWindowFix=true; Switch.System.Windows.Interop.MouseInput.DoNotOptOutOfMoveToChromedWindowFix=true " />

How to get this update

Install this update

Release Channel

Available

Next Step

Windows Update and Microsoft Update

Yes

None. This update will be downloaded and installed automatically from Windows Update.

Microsoft Update Catalog

Yes

To get the standalone package for this update, go to the Microsoft Update Catalog website.

Windows Server Update Services (WSUS)

Yes

This update will automatically sync with WSUS if you configure Products and Classifications as follows:

Product: Windows 10, version 1607 and Windows Server, version 2016

Classification: Security Updates

File information

For a list of the files that are provided in this update, download the file information for cumulative update.

Information about protection and security

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.