Microsoft cuts BinaryFormatter from .NET 9

Citing a security concern, Microsoft announced it is removing the BinaryFormatter from the planned .NET 9 open source application platform. Microsoft outlined the risk of using BinaryFormatter in an August 28 blog post, stating: “Any deserializer, binary or text, that allows its input to carry information about the objects to be created is a security problem waiting to happen.” A deserializer method can be used as a vector for DDoS attacks against consuming apps.

The company post links to a common weakness enumeration (CWE) definition describing the issue: CWE-502: Deserialization of Untrusted Data. In deciding to remove the formatter from .NET 9, which is due as a production release in November, Microsoft said it strongly believes .NET should make it easy for users to do the right thing and hard if not impossible to do the wrong thing. Shipping a technology that is widely regarded as unsafe counters this goal, the company said.

BinaryFormatter was previously excluded from .NET Core 1.0 but customer demand had it reinstated in .NET Core 2.0. Since then, there has been a path to removing BinaryFormatter, slowly turning it off by default in multiple project types but offering opt-in flags if still necessary for backward compatibility.

There are two options for addressing the removal of BinaryFormatter‘s implementation, the company said: Migrate away from BinaryFormatter or keep using it. A migration guide lists options for those who intend to stop using the technology. Those who intend to keep using the formatter in .NET 9 will need to depend on the unsupported System.Runtime.Serialization.Formatters NuGet package.

For .NET, Microsoft removed all remaining in-box dependencies on BinaryFormatter and replaced the implementation. Moving forward, the company said new code should not include a dependency on BinaryFormatter; alternatives should be examined for existing code. Users who do not control the serializer but only perform serialization can consider only reading the BinaryFormatter payload without deserialization.

Microsoft’s .NET Framework, a Windows-only version of .NET, is unaffected by the change. But Microsoft also recommends no longer using BinaryFormatter in .NET Framework.

Source

Yorum yapın