Today we released a minor update to Silverlight 5. The 32 and 64
bit update version number is 5.1.10411.0. (The documentation said
5.2 at first, but this has been fixed.)
This will be rolled out to everyone. We throttle large
updates of products at the start, so for some folks it was not
automatically downloaded this morning.
This is primarily an important security update addressing an TrueType security issue that was reported across a
large number of products. Some folks (like me) have reported
issues seeing the TechNet page which has the information about the
security issue, so I've repeated it here:
Executive Summary
This security update resolves three publicly disclosed
vulnerabilities and seven privately reported vulnerabilities in
Microsoft Office, Microsoft Windows, the Microsoft .NET Framework,
and Microsoft Silverlight. The most severe of these vulnerabilities
could allow remote code execution if a user opens a specially
crafted document or visits a malicious webpage that embeds TrueType
font files. An attacker would have no way to force users to visit a
malicious website. Instead, an attacker would have to convince
users to visit the website, typically by getting them to click a
link in an email message or Instant Messenger message that takes
them to the attacker's website.
This security update is rated Critical for all supported
releases of Microsoft Windows; for Microsoft .NET Framework 4,
except when installed on Itanium-based editions of Microsoft
Windows; and for Microsoft Silverlight 4 and Microsoft Silverlight
5. This security update is rated Important for Microsoft Office
2003, Microsoft Office 2007, and Microsoft Office 2010. For more
information, see the subsection, Affected and Non-Affected
Software, in this section.
The security update addresses the most severe of these
vulnerabilities by correcting the manner in which affected
components handle specially crafted TrueType font files and by
correcting the manner in which GDI+ validates specially crafted EMF
record types and specially crafted EMF images embedded within
Microsoft Office files. For more information about the
vulnerabilities, see the Frequently Asked Questions (FAQ)
subsection for the specific vulnerability entry under the next
section, Vulnerability Information.
Recommendation. The majority of customers have automatic
updating enabled and will not need to take any action because this
security update will be downloaded and installed automatically.
Customers who have not enabled automatic updating need to check for
updates and install this update manually. For information about
specific configuration options in automatic updating, see Microsoft Knowledge
Base Article 294871.
For administrators and enterprise installations, or end users
who want to install this security update manually, Microsoft
recommends that customers apply the update immediately using update
management software, or by checking for updates using the Microsoft
Update service.
See also the section, Detection and Deployment Tools and
Guidance, later in this bulletin.
This is more of a GDR level release, but we needed to follow a
new version number scheme. The version number doesn't indicate
major functionality change or enhancement, but is actually a
product of the build process. I'm reading the pages of discussion
in our bug database covering this versioning numbering and the
reasons why it went to 5.1. It really only makes sense if you're
using our internal build tools :)
Note also, that as was the case in the Silverlight 4.0
to 4.1 updates, we reset the build number. This shouldn't
be a problem unless you have code that is checking a build number
without looking at the version number as a whole.
Release history from
http://www.microsoft.com/getsilverlight/locale/en-us/html/Microsoft%20Silverlight%20Release%20History.htm
Silverlight 5 Build 5.1.10411.0 Released May 8, 2012
All updates to Microsoft Silverlight include functional,
performance, reliability and security improvements and are backward
compatible with web applications built using previous versions of
Silverlight.
- Fixes Security issue described in the following Microsoft
Knowledge Base article: 2636927 MS12-034: Description of the security
update for Microsoft Silverlight: May 8, 2012
- Fixes an issue where "Best Effort" Silverlight Digital Rights
Management Output Protection levels failed on some machines.
- Fixed a failure to update OOB applications that are configured
to use elevated trust when in browser.
- Fixes an issue where persistent license acquisition would fail
when a customer upgrades from Silverlight 4 to Silverlight 5.
- Fixes an issue where certain character combinations can cause
Silverlight application to crash.
- Fixes an Access Violation described in the following Connect
issue
https://connect.microsoft.com/VisualStudio/feedback/details/719572
- Fixes an issue where the SL5 plugin displays blank window after
installing a font with a font name that starts with "&".
- Fixes an issue where moving a focus to TextBox or RichTextBox
after moving a focus to ItemsControl causes IME to be
disabled.
- Fixes an issue where Silverlight would not play content which
required Output Protection.
- Fixes a Silverlight DRM issue where some customers encounter
hardware ID mismatch errors which can only be resolved by
re-individualization.
Be sure to let us know if you run into any issues with this
release.
