Jump to content
  • Microsoft warns of critical PowerShell 7 code execution vulnerability


    Karlston

    • 1.1k views
    • 2 minutes
     Share


    • 1.1k views
    • 2 minutes

    Microsoft warns of critical PowerShell 7 code execution vulnerability

     

    Microsoft warns of a critical .NET Core remote code execution vulnerability in PowerShell 7 caused by how text encoding is performed in .NET 5 and .NET Core.

     

    PowerShell provides a command-line shell, a framework, and a scripting language focused on automation for processing PowerShell cmdlets.

     

    It runs on all major platforms, including Windows, Linux, and macOS, and it allows working with structured data such as JSON, CSV, and XML, as well as REST APIs and object models.

    "Update as soon as possible"

    The company says no mitigation measures are available to block exploitation of the security flaw tracked as CVE-2021-26701.

     

    Customers are urged to install the updated PowerShell 7.0.6 and 7.1.3 versions as soon as possible to protect their systems from potential attacks.

     

    Microsoft's initial advisory also provides developers with guidance on updating their apps to remove this vulnerability.

     

    "The vulnerable package is System.Text.Encodings.Web. Upgrading your package and redeploying your app should be sufficient to address this vulnerability," Microsoft explained in April when the security flaw was patched.

     

    Any .NET 5, .NET Core, or .NET Framework-based app using a System.Text.Encodings.Web package version listed below is exposed to attacks.

     

    Package Name Vulnerable Versions Secure Versions
    System.Text.Encodings.Web 4.0.0 - 4.5.0 4.5.1
    System.Text.Encodings.Web 4.6.0-4.7.1 4.7.2
    System.Text.Encodings.Web 5.0.0 5.0.1

     

    While Visual Studio also contains the binaries for .NET, it is not vulnerable to this issue, according to Microsoft's security advisory.

     

    The update is offered to include the .NET files so that apps built using Visual Studio including .NET functionality will be protected from this security issue.

     

    "If you have questions, ask them in GitHub, where the Microsoft development team and the community of experts are closely monitoring for new issues and will provide answers as soon as possible," Microsoft added.

     

    Microsoft has also recently announced that it would be making it easier to update PowerShell on Windows 10 and Windows Server by releasing future updates through the Microsoft Update service.

     

    Update: Added a link to Microsoft's warning to install the updated versions ASAP.

     

     

    Microsoft warns of critical PowerShell 7 code execution vulnerability


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...