I've had a request that we upgrade all our internally developed applications to .NET v4.0.
Needless to say, this is a massive chunk of work. Is using applications based on the .NET framework prior to v4.0 a genuine security issue?
Asked
Active
Viewed 6,345 times
2 Answers
10
No it's not a risk to run an earlier framework (except for 1.x), just make sure it's patched as described below.
All frameworks will get free security updates as described in Mainstream and Extended Support phase. Each framework needs to have it's own service pack. (scroll to bottom of that link)
To make things easier, .NET 3.5 SP1 is considered a core component of the Windows OS. The standard Windows support guidance applies. In particular:
- .NET 1.0 is a security risk since no hotfixes have been produced since SP3 past July 14 2009
- .NET 1.1 should be at SP1, though security hotfix support ends October 2013 unless you are running it on Server 2003 (security hotfix support for Server 2003 ends July 2015).
- .NET 2.0 should be at SP2
- .NET 3.0 should be at SP2
- .NET 3.5 should be at SP1
- .NET 4.0 will reach end of support on all OS on January 12, 2016
- .NET 4.5 should be at 4.5.2. Support expiration is based on the OS and the most recent service pack for that OS. (e.g. Windows 7 SP1)
What is the Security Update policy?
Security updates will be available through the end of the Extended Support phase (five years of Mainstream Support plus five years of the Extended Support) at no additional cost for most products. Security updates will be posted on the Microsoft Update Web site during both the Mainstream and the Extended Support phase.
Is the Extended Hotfix Support program required for customers to receive security updates?
No. Any customer can report a security issue to Microsoft. Microsoft will review the issue. If a security update is created, it will be made available to customers as described earlier in this document.
Colin Pickard
- 1,800
- 2
- 11
- 14
makerofthings7
- 50,918
- 55
- 261
- 556
-
1You might want to mention that .NET 4.0 also has had one service pack. – Ramhound Jun 12 '12 at 19:50
-
In principle I agree, however v1.0 and 1.1 are no longer supported and should be upgraded ASAP (even with most recent SPs). v2.0 is also considered weak-ish, kinda decrepit, and has certain issues of it's own - v2.0 should be phased out over a short time, as possible (but not urgent). v3.0 and up (with recent SPs) is perfectly fine and not an issue at all. However, all new development should be on v4 for numerous reasons, not least of all for future-proofing as much as possible. Also upgraded CLR, much functionality, and many new security mechanisms... – AviD Jun 12 '12 at 19:59
-
@AviD I was surprised that 1.0 seemed supported according to MSFT's website, when in fact it is no longer supported. On the other hand Wikipedia says 1.1 is under Extended Support through July 14 2015, which includes security hotfixes. – makerofthings7 Jun 12 '12 at 21:24
-
@Ramhound Do you have a link to the service pack? All I can find are patches such as Reliability Updates and a GDR update. Do any of these patches change the support timing of the frameworks? I'm not trying to list all updates, just updates that relate to the security supportability of the framework – makerofthings7 Jun 12 '12 at 21:35
-
@makerofthings7 - All .NET Framework Service Packs are sent through Windows Update. The .NET Framework 4.0 Service Pack 1 is included in Visual Studio 2010 SP1. I forget if they increase the actual version of the 4.0 .NET Framework or not. – Ramhound Jun 13 '12 at 16:14
-
@AviD Technically 3.5 has 3.0 and 2.0 inside, so 2.0 or later is fine. – Yuhong Bao May 21 '14 at 06:20
-
-
Service packs for 3.5, 3.0, and 2.0 are developed together and 3.5 and 3.0 only provides additional components to layer on top of 2.0. 3.5 SP1 has 3.0 SP2 and 2.0 SP2 inside for example. – Yuhong Bao May 22 '14 at 01:53
2
Needless to say, this is a massive chunk of work. Is using applications based on the .NET framework prior to v4.0 a genuine security issue?
Microsoft has released security patches for all version of the .NET Framework that have been effected by a security bug. I do believe that Microsoft does not support .NET Framework 1.0/1.1 at this time.
You shouldn't have to change any code....
Ramhound
- 496
- 4
- 9
-
In an ideal world, no we wouldn't have to change any code. But there are issues with 3rd party APIs such as Crytal Reports and the SAP Connector which prevent the projects being upgraded quite so easily. I'm more interested in whether the earlier frameworks have any known vulnerabilites that would cause security concerns when deployed. e.g. if I had .NET 1.1 on a server is it a security risk? – Gareth Jun 11 '12 at 11:25
-
@GarethS - Unlikely unless there is an unknown security vulerability that Microsoft has not patched. In other words the risk are exactly the same as if you were running .NET 4.0 SP1 on the machine. You should upgrade to at least .NET 3.5 SP1 since that is supported product. I have updated many products to use 4.0 that used Crystal Reports and SAP Connector all I did was update the references and I was good to go. – Ramhound Jun 11 '12 at 11:31
-
I'm glad you didn't have any issues, but I can't for the life of me get Crystal Reports which work in VB6 / .NET 1.1 to work in a .NET 4 compiled app without resaving them in an newer format. For reasons I won't go into, it's not feasible to upgrade all our reports at this time. – Gareth Jul 06 '12 at 08:36