dotnet · GrabYourPitchforks · Nov 13, 2024 · Nov 12, 2024 · Nov 13, 2024
@@ -42,7 +42,7 @@ As a simpler analogy, assume that calling `BinaryFormatter.Deserialize` over a p
 
 `BinaryFormatter` was implemented before deserialization vulnerabilities were a well-understood threat category. As a result, the code does not follow modern best practices. The `Deserialize` method can be used as a vector for attackers to perform DoS attacks against consuming apps. These attacks might render the app unresponsive or result in unexpected process termination. This category of attack cannot be mitigated with a `SerializationBinder` or any other `BinaryFormatter` configuration switch. .NET considers this behavior to be ***by design*** and won't issue a code update to modify the behavior.
 
-`BinaryFormatter.Deserialize` may be vulnerable to other attack categories, such as information disclosure or remote code execution. Utilizing features such as a custom <xref:System.Runtime.Serialization.SerializationBinder> may be insufficient to properly mitigate these risks. The possibility exists that a novel vulnerability will be discovered for which .NET cannot practically publish a security update. Consumers should assess their individual scenarios and consider their potential exposure to these risks.
+`BinaryFormatter.Deserialize` may be susceptible to other attack categories, such as information disclosure or remote code execution. Utilizing features such as a custom <xref:System.Runtime.Serialization.SerializationBinder> may be insufficient to properly mitigate these risks. The possibility exists that an attacker will discover a novel exploit which bypasses existing mitigations. .NET does not commit to publishing patches in response to any such bypasses, and in fact developing or deploying such patches might be technically infeasible. Consumers should assess their individual scenarios and consider their potential exposure to these risks.
 
 We recommend that `BinaryFormatter` consumers perform individual risk assessments on their apps. It is the consumer's sole responsibility to determine whether to utilize `BinaryFormatter`. If you're considering using it, you should risk-assess the security, technical, reputation, legal, and regulatory consequences.