A denial of service vulnerability exists when the .NET implementation of Bond improperly parses input. An attacker who successfully exploited the vulnerability could cause a process using Bond to stop responding. To exploit this vulnerability, an attacker would need to upload specially crafted content to a Bond parser. The update addresses the vulnerability by correcting the way Bond processes input.
Which versions of Bond contain the vulnerability? All previously released versions of Bond are vulnerable. This includes the first version release 3.x through 9.0. The update is in Bond 9.0.1.
Ben Haham Hay, Microsoft Defender ATP Client Team