Microsoft: Patch Tuesday broke .NET on Windows 11/10, these OOB updates resolved the issues

Microsoft released Patch Tuesday updates on Windows 10 (KB5027215, among others), and Windows 11 (KB5027231) on June 13, which was the second Tuesday of the month. The update addressed security issues, among other bugs. Aside from OS security, Patch Tuesday also fixed security issues in Office 2013 and 2016, for both 32-bit and 64-bit versions. The company also announced the arrival of a full-screen notice about Windows Hello that will now be displayed on both Windows 11 as well as Windows 10.

And as is often the case, there are major bugs affecting it as well. On Windows 11, Patch Tuesday was causing Malwarebytes to go a bit haywire and block Google Chrome. Meanwhile, users reported that Windows 10 updates were having installation issues.

Microsoft has now also patched an issue related to how the .NET Framework runtime update on June 13 would affect the imports of X.509 Certificates. Unlike how they functioned before, there the additional validation could now lead to CryptographicException error. In case you missed it, Microsoft began delivering .NET updates via Windows Update since May.

Description of change

Prior to the June 13, 2023, change, when .NET Framework and .NET is presented with a binary certificate blob for import, .NET Framework and .NET would typically delegate validation and import of the blob to the underlying OS. For example, on Windows, .NET Framework and .NET would typically rely on the PFXImportCertStore API for validation and import.

As of the June 13, 2023, change, when .NET Framework and .NET is presented with a binary certificate blob for import, .NET Framework and .NET will in some circumstances perform additional validation before handing the blob to the underlying OS. This additional validation performs a series of heuristic checks to determine if the incoming certificate would maliciously exhaust resources upon import. Since this is additional validation beyond what the underlying OS would normally perform, it may block certificate blobs which would have successfully imported prior to the June 13, 2023, change.

Microsoft has also detailed the symptoms of the issue:

Symptom

When using the X509Certificate, X509Certificate2, or X509Certificate2Collection class to import a PKCS#12 blob containing a private key, the calling application may observe the below exception.

System.Security.Cryptography.CryptographicException: PKCS12 (PFX) without a supplied password has exceeded maximum allowed iterations.

This failure affects PKCS#12 blobs which have been exported [e.g., via X509Certificate.Export(X509ContentType.Pfx)] without a password. The failure may occur non-deterministically.

A workaround for the problem had been deployed on affected systems, though the company states that any registry changes made to work around the problem must be reverted:

Workaround

Microsoft has released updated installers for .NET Framework and .NET to address this issue. These installers can be applied to the affected machine regardless of whether the machine has already applied the original June 13, 2023, .NET Framework and .NET security updates.

Important:

If you previously used the registry switches documented at KB5025823 Change in how .NET applications import X.509 certificates to work around this issue, please remove those registry switches before installing the new patch. Run the two commands below from an elevated command prompt to remove the registry switches.

reg delete "HKLM\Software\Microsoft\.NETFramework" /v Pkcs12UnspecifiedPasswordIterationLimit /reg:32

reg delete "HKLM\Software\Microsoft\.NETFramework" /v Pkcs12UnspecifiedPasswordIterationLimit /reg:64

These issues are addressed on Windows 10 as well as Windows 11, and more with the following out-of-band updates that can be manually downloaded from the Microsoft Update Catalog website.

Product Version

Update

Windows 11, version 22H2

.NET Framework 4.8.1

Catalog

5028576

Windows 11, version 21H2

.NET Framework 4.8

Catalog

5028582

.NET Framework 4.8.1

Catalog

5028575

Windows Server 2022

.NET Framework 4.8

Catalog

5028584

.NET Framework 4.8.1

Catalog

5028578

Azure Stack HCI, version 22H2

.NET Framework 4.8

Catalog

5028584

Azure Stack HCI, version 21H2

.NET Framework 4.8

Catalog

5028584

Windows 10 Version 22H2

.NET Framework 4.8

Catalog

5028579

.NET Framework 4.8.1

Catalog

5028574

Windows 10 Version 21H2

.NET Framework 4.8

Catalog

5028579

.NET Framework 4.8.1

Catalog

5028574

Windows 10 1809 (October 2018 Update) and Windows Server 2019

.NET Framework 4.7.2

Catalog

5028588

.NET Framework 4.8

Catalog

5028581

Windows 10 1607 (Anniversary Update) and Windows Server 2016

.NET Framework 4.8

Catalog

5028580

Windows Embedded 8.1 and Windows Server 2012 R2

.NET Framework 4.6.2, 4.7, 4.7.1, 4.7.2

Catalog

5028590

.NET Framework 4.8

Catalog

5028585

Windows Embedded 8 and Windows Server 2012

.NET Framework 4.6.2, 4.7, 4.7.1, 4.7.2

Catalog

5028589

.NET Framework 4.8

Catalog

5028583

Windows Embedded 7 Standard and Windows Server 2008 R2 SP1

.NET Framework 4.6.2, 4.7, 4.7.1, 4.7.2

Catalog

5028591

.NET Framework 4.8

Catalog

5028586

all supported Windows versions

.NET 6.0.19

Catalog

5028613

.NET 7.0.8

Catalog

5028614

You may find more details about the issue on Microsoft"s official website on this page (KB5028608).


Update: Alongside the ones listed above, Microsoft also released Windows builds for the original Windows 10 (version 1507) and Windows 10 version 1607 under KB5028622 (build 10240.19986) and KB5028623 (build 14393.5996), respectively, to address the .NET issues.

The full changelog is given below:

Highlights

  • This update addresses a non-security issue for your Windows operating system.

Improvements

This non-security update includes quality improvements. When you install this KB:

  • This update addresses a change that affects how you use the X509Certificate, X509Certificate2, or X509Certificate2Collection classes. When you use them to import a PKCS#12 blob that contains a private key, the calling application might get an exception. The exception message is, “System.Security.Cryptography.CryptographicException: PKCS12 (PFX) without a supplied password has exceeded maximum allowed iterations.
    Report a problem with article
    Next Article

    Google canceling Pixel Fold pre-orders is supposedly due to 'a bug'

    Previous Article

    Microsoft releases free Windows 11 virtual machines with the Moment 3 update