Microsoft released its monthly Patch Tuesday updates on June 13, 2023. These updates addressed a number of security vulnerabilities, but one update (KB5028608) also caused some problems for users of .NET Framework on Windows 11 and 10.
One of the main problems was that the updates caused Malwarebytes to block Google Chrome. This was due to a change in the way that .NET Framework handles X.509 certificates. Prior to the update, .NET Framework would simply import the certificate without any additional validation. However, the update added some additional validation, which caused Malwarebytes to flag Chrome as a threat.
“When using the X509Certificate, X509Certificate2, or X509Certificate2Collection class to import a PKCS#12 blob containing a private key, the calling application may observe the below exception. System.Security.Cryptography.CryptographicException: PKCS12 (PFX) without a supplied password has exceeded maximum allowed iterations.
This failure affects PKCS#12 blobs which have been exported [e.g., via X509Certificate.Export(X509ContentType.Pfx)] without a password. The failure may occur non-deterministically.”
Out of Band Update Brings a Fix
Microsoft has since released out-of-band (OOB) updates to address these problems. The OOB updates for Malwarebytes can be downloaded from the Malwarebytes website, and the OOB update for Windows Update can be downloaded from the Microsoft Update Catalog:
“Prior to the June 13, 2023, change, when .NET Framework and .NET is presented with a binary certificate blob for import, .NET Framework and .NET would typically delegate validation and import of the blob to the underlying OS. For example, on Windows, .NET Framework and .NET would typically rely on the PFXImportCertStore API for validation and import.
As of the June 13, 2023, change, when .NET Framework and .NET is presented with a binary certificate blob for import, .NET Framework and .NET will in some circumstances perform additional validation before handing the blob to the underlying OS. This additional validation performs a series of heuristic checks to determine if the incoming certificate would maliciously exhaust resources upon import. Since this is additional validation beyond what the underlying OS would normally perform, it may block certificate blobs which would have successfully imported prior to the June 13, 2023, change.”
If you are experiencing problems with .NET Framework after installing the June 13 Patch Tuesday updates, you can try installing the OOB updates. If you are still having problems, you can contact Microsoft support for help.