Microsoft just released a new security update to be automatically applied to machines configured to use Microsoft Update. The security bulletin is available here: https://technet.microsoft.com/en-us/library/security/ms14-059
Unfortunately, some ASP.NET MVC 3 and 4 VS projects can no longer build after the update is applied. These projects will fail with the following error:
Could not locate the assembly "System.Web.Mvc,Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35,processorArchitecture=MSIL".
This happens when your project references assemblies from the GAC or the Reference Assemblies folder. Project references to System.Web.Mvc.dll are no longer resolved because the assembly version of System.Web.Mvc.dll was incremented.
The problem can be resolved by implemented one of the following solutions:
1. (Preferred) Install Microsoft.AspNet.Mvc from the NuGet gallery (this will install a binding redirect in your web.config). You can do this from the NuGet package manager or the NuGet console inside Visual Studio:
>Install-Package Microsoft.AspNet.Mvc -Version <version> -Project PROJECTNAME
MVC 4 version: 4.0.40804.0
MVC 3 version: 3.0.50813.1
2. Manually update the reference to System.Web.MVC.dll (don’t use the one in the GAC).
Try the Add Reference -> Assemblies -> Extensions dialog box.
In either case ensure that the CopyLocal project property for the assembly is set to true so it ends up in your bin folder which is needed for deployment. There is a known NuGet bug that resets the CopyLocal flag: https://nuget.codeplex.com/workitem/4344
For MVC projects built prior to VS 2012 references to MVC assemblies were added from either the GAC or the Assembly References folder. Most recent MVC templates add references to assemblies installed via NuGet packages, this is why option No.1 above is preferred. The NuGet gallery has become very popular.
As a side note, a similar issue may occur when creating a new MVC 3 project in Visual Studio 2010, this is documented in the security bulletin:
MVC 3.0 RTM is installed on my system and after installing the update I can no longer create a new project in Visual Studio 2010, how can I correct this?
ASP.NET MVC 3.0 templates for Visual Studio 2010 rely on assemblies that are installed in the Reference Assemblies folder. Since the updated version of the assembly for MVC 3.0 is incremented, templates will no longer work. To solve this problem, install the MVC 3.0.1 tooling refresh for Visual Studio 2010.
Finally, the decision to increment the assembly version was to secure those applications that were deployed on servers owned by third parties, in this case the vulnerable assembly may be in the GAC. In order to ensure the application runs the secure assembly, the assembly version had to be incremented.