.NET updates (Dec. 13, 2022) fixes vulnerability CVE-2022-41089, but causing issues

Update[German]As of December 13, 2022 (Patchday), Microsoft has also released updates for .NET 7.0.1, .NET 6.0.12 and .NET Core 3.1.32. These are intended to address the CVE-2022-41089 vulnerability, which allows remote code execution. But because the update makes changes to the way WPF-based applications render XPS documents, there are problems with applications that use WPF. However, Microsoft has published a support article KB5022083 including two workarounds.


.NET-Releases/Updates December 13, 2022

Microsoft has listed the relevant updates for the .NET framework (.NET 7.0.1, .NET 6.0.12 and .NET Core 3.1.32 ) in this article on the developer blog. Downloads are available for versions 7.0.1, 6.0.12, and 3.1.32 for Windows, macOS and Linux, for x86, x64, Arm32 and Arm64. Here are the links to the relevant download versions, the installer and documents:

The article here lists the improvements made by the updates.

Vulnerability CVE-2022-41089

In .NET Core 3.1, .NET 6.0 and .NET 7.0 a vulnerability CVE-2022-41089 has been found. The vulnerability leaves applications vulnerable to remote code execution (RCE). Through the vulnerability, a malicious actor could cause a user to execute arbitrary code by parsing appropriately malformed xps files, Microsoft writes. The vulnerability received a CVSS score of 7.8.

The list of .NET security updates (Microsoft .NET Framework 3.5, 4.6/4.6.2 and 4.8.1) can be viewed via this Microsoft page. The article here contains an overview of the .NET Framework December 2022 Security and Quality Rollup Updates.

Issues with WPF applications

German blog readre Bernie has already pointed out issues related to the .NET update in this comment. These .NET updates cause issues (a program crash) with applications that use Windows Presentation Foundation (WPF for short) as their graphics framework.


Bernie writes that two specialist applications are currently affected. However, the crashes only occur when the applications render Office documents in XPS format.

Microsoft is aware of the problem and writes that WPF applications may exhibit changed behavior after installing this update. Microsoft has published support article KB5022083 on the issue, which outlines the changes when editing XPS documents. It says that XPS documents that use structural or semantic elements, such as a table structure, storyboards or hyperlinks, may not display correctly in WPF-based readers.

Workaround 1: PowerShell Script

Microsoft has created a PowerShell script that fixes this issue. The workaround is described in support post KB5022083. Thanks to Bernie. Anyone affected by these WPF issues?

Workaround 2: Registry-Eintrag

Addendum: Microsoft later added to the support article and describes a registry entry that can be applied if the PowerShell approach fails. For this purpose, the following command can be executed in an administrative command prompt.

reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\Windows Presentation Foundation\XPSAllowedTypes" /v "DisableDec2022Patch" /t REG_SZ /d "*" /reg:64

Alternatively, you can use Group Policy to create a REG_SZ entry with the key name:

HKLM\SOFTWARE\Microsoft\.NETFramework\Windows Presentation Foundation\XPSAllowedTypes

and value DisableDec2022Patch and create the value "*". This disables the advanced functionality across devices and should only be used if all XPS inputs in the system can be fully trusted.

Warning: Registry entry should be used only if it is certain that all XPS documents processed by the system are trustworthy. This is true if only XPS content generated on the system is processed and cannot be modified by third parties. Do not disable the function if you accept XPS documents from the Internet, e-mails from external entities or other untrusted sources.

Similar articles
Microsoft Office Updates (December 6, 2022)
Microsoft Security Update Summary (December 13, 2022)
Patchday: Windows 10-Updates (December 13, 2022)
Patchday: Windows 11/Server 2022-Updates (December 13, 2022)
Windows 7/Server 2008 R2; Windows 8.1/Server 2012 R2: Updates (December 13, 2022)
Patchday: Microsoft Office Updates (December 13, 2022)

Windows: 0Patch Micropatch for MOTOW ZIP file bug (0-day, no CVE)
Windows 0-day (Mark of the Web) used for ransomware attacks via JavaScript
Microsoft confirms Direct Access issues after Nov. 2022 updates
DirectAccess fails after Windows Updates from November 2022
Windows Server November 2022 updates cause LSASS memory leak

Cookies helps to fund this blog: Cookie settings

This entry was posted in issue, Security, Software, Update and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *