Recommend updating to msquic 2.4.8

[GrabYourPitchforks]

The msquic folks recently released v2.4.8. Though this was not a security release, it does contain some defense-in-depth improvements related to how library load occurs.

Because of this, there's a risk that third-party vulnerability scanners may start to mark versions prior to 2.4.8 as suspicious, and that might cause false positive alerts for our customers. We should get ahead of this by proactively pulling 2.4.8 into our builds. There's no need for us to make a servicing release just for this, but it'd be good to get the update to come along for the ride the next time we have a scheduled servicing release.

Relatedly, .NET 8.0.x currently takes a dependency on msquic v2.3.x. The 2.3.x branch exits support in Sep 2025, well ahead of .NET 8's end of life. We should update the 8.0.x branch to keep ahead of any end-of-life mismatches here.

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

[AustinWise]

Since #112359 was merged in this repo, msquic.dll is the only remaining DLL in the Microsoft.NETCore.App.Runtime Nuget package that has vulnerability to DLL injection. So it would be great if this could be fixed.

[GrabYourPitchforks]

Just to clarify, there is no vulnerability. The report concerned app-path DLL injection, which has a severity of Low and never gets an assigned CVE. (For .NET specifically, we always triage app-path DLL injection reports as "None", not "Low".)

[AustinWise]

Good to know. I agree DLL injection has very minor severity.

If I happen to find another DLL injection issue in the future, should I continue to send reports to MSRC first and let them make the call on severity? I could not find any policy linked from the SECURITY.md file in this repo that says I should do otherwise.

[GrabYourPitchforks]

@AustinWise here's how MSRC triages them:

https://msrc.microsoft.com/blog/2018/04/triaging-a-dll-planting-vulnerability/

If you're ever unsure of what to do, feel free to report it and it will get triaged and assigned to the right team.

https://msrc.microsoft.com/report/vulnerability/new

Thanks!

[ManickaP]

Fixed in #113206 and #11205.