In case you forgot, Microsoft will end product support for some older versions of .Net Framework on Jan. 12, 2016.
This means .Net Framework 4, 4.5, and 4.5.1 will no longer receive security patches and other updates in January. Organizations using .Net Framework versions 4.5.2, 4.6, and 4.6.1 don't have to worry as they are not affected.
Organizations should upgrade their applications to 4.5.2, 4.6, or 4.6.1, as otherwise their applications could be at risk for attackers targeting vulnerabilities in the framework. Don't forget to check the version of .Net Framework installed on Azure and other cloud service deployments. The Azure team will be making updated images available with the .Net Framework 4.5.2 for guest OS families 2.x, 3.x and 4.x, in order to support apps deployed to Azure. The updated images are already available, and will be available for automatic deployment in January.
Microsoft originally treated .Net Framework as an independent product and not as a component of the operating system. Note that .Net Framework 4 did not ship in any operating system. While version 4.5 was included in Windows 8 and Windows Server 2012, it was also available as a stand-alone redistributable package.
Beginning with .Net Framework 3.5 Service Pack 1, Microsoft changed the relationship to be a component, so the support lifecycle becomes the same as the underlying Windows operating system's support lifecycle. With this change,components are supported so long as the Windows operating system is supported. This is why .Net Framework 3.5 SP1, despite being a version before 4 and 4.5, will continue to be supported past the Jan. 12 deadline.
"The decision to end support for these versions will allow us to invest more resources towards improvements of the .Net Framework," Stacey Haffner, a security program manager at Microsoft, wrote on the official .Net Blog this week.
Developers can look at the Windows Registry under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full key to find out which version of the .Net framework is installed on the local system. The blog post has a table explaining which key values are associated to which versions of the framework.
Since the newer versions install as "in-place" upgrades, older versions don't have to be uninstalled first. The newer versions have compatibility features baked into to support applications built and maintained by older .Net frameworks. A new feature called "quirking" maintains the semantics of earlier applications and lets applications run on later .Net Framework versions without targeting the new version.
The .Net runtime knows which of these semantics or quirks to execute depending on the .Net Framework version that the application targets, the blog post said.
"We recommend customers and developers complete the in-place update to .Net Framework 4.5.2 by January 12, 2016 to continue receiving technical support and security updates," Haffner wrote.
The Jan. 12 deadline is also significant for another reason: Organizations must have migrated to the latest version of Internet Explorer by that date. Organizations need to use the latest version of Internet Explorer supported by the Windows operating system. While that generally would mean Internet Explorer 11 for most users, there is some flexibility since older Windows versions do not support the latest version of IE. For example, Vista users cannot go beyond IE9. IE lifecycle FAQ. Organizations who don't change to IE11 by that date would lose IE product support. Considering the increase in Web-based attacks and how IE is frequently targeted, staying on older versions is a serious risk.