MS11-025 Visual C++ Update Issue

MS11-025 Visual C++ Update Issue

  • Comments 7

Greetings, I’m Raman Sharma, Program Manager with the Visual C++ team.

 

As part of the April Security Bulletin Release, Microsoft released security bulletin MS11-025. Since then, we became aware of some issues with this bulletin that impact some users on Windows 2000 and a subset of developers using Visual C++. Our team has identified the cause of these issues and is currently testing the fix. The update will be publicly available once testing is complete, and we will update this blog. As customer protection is a top priority for Microsoft, we are providing some workarounds for the impacted customers.


 


MFC applications running on Windows 2000

Issue

We discovered that the redistributable packages for Visual Studio 2005 and Visual Studio 2008 were propagated through Microsoft Update to Windows 2000, which is no longer a supported platform.

Developers who use Visual Studio 2005 and Visual Studio 2008 to produce applications for use on Windows 2000 machines are expected to distribute the appropriate redistributable package themselves. As a result of this automatic update, some applications dynamically linking to the MFC libraries on Windows 2000 were broken, as the updated MFC binaries happened to use an API unsupported on Windows 2000.

As soon as we became aware of this issue, we stopped automatically offering these updates on Windows 2000. We believe the exposure is fairly limited as this impacts only those applications that are dynamically linked to MFC.

 

Workaround

  • For those Windows 2000 users who were impacted, the process to remove the updates is as follows:

Windows 2000 users with “Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package”

To recover a machine:

  1. Uninstall the “Microsoft Visual C++ 2005 Service Pack 1 Redistributable” from Add/Remove Programs.
  2. Install the “Microsoft Visual C++ 2005 Service Pack 1 Redistributable” from:
    http://www.microsoft.com/downloads/en/details.aspx?familyid=766a6af7-ec73-40ff-b072-9112bab119c2&displaylang=en

 

Windows 2000 users with “Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package”

To recover a machine:

  1. Uninstall the “Microsoft Visual C++ 2008 Service Pack 1 Redistributable” from Add/Remove Programs.
  2. If you are on Windows 2000:
    1. Install the “Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package” from:
      http://www.microsoft.com/downloads/en/details.aspx?familyid=2051a0c1-c9b5-4b0a-a8f5-770a549fd78c&displaylang=en
    2. If you rely on any of the following KBs, re-install the “Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package” that came with these KBs:
      KB974479, KB979335, KB980848, KB982062, KB982107, KB982637, KB2435853, KB2465361, KB2495003

 

  • For developers the problem is slightly more complex. Visual Studio had specific updates that make the above changes to the files used to create applications so any application built on a machine, whether statically or dynamically linked will exhibit the problem. If you are currently building applications that you expect to deploy to Windows 2000 machines then you will need to do the following:

 

Developers with Visual Studio 2005

To recover a developer machine that has KB2465367 (Visual Studio 2005):

  1. Go to the Add/Remove Programs
  2. Make sure ‘Show Updates’ is checked.
  3. Under the “Visual Studio 2005” product node, there should be a KB2465367 entry. Select and uninstall.

 

Developers with Visual Studio 2008

To recover a developer machine that has KB2465361 (Visual Studio 2008):

  1. Go to the Add/Remove Programs
  2. Make sure ‘Show Updates’ is checked.
  3. Under the “Visual Studio 2008” product node, there should be a KB2465361 entry. Select and uninstall.
  4. Uninstall “Microsoft Visual C++ Runtimes for x86
  5. Uninstall “Microsoft Visual C++ Runtimes for x64


 


Visual Studio 2010 RTM with Windows SDK

Issue

If you have Visual Studio 2010 RTM and Windows SDK 7.1 installed on an x64 machine, then the Visual Studio 2010 update (KB2455033) fails to install on your machine.

 

Workaround

The workaround for this issue:

  1. Go to Add/Remove Programs and uninstall the package “Microsoft Visual C++ compilers 2010 Standard – enu – x64
  2. Try installing KB2455033 again.


 

Please note that the above workaround will not actually remove the compiler bits from your machine and you should still be able to use the x64 compilers. The workaround just addresses some incorrect definitions in the patch.

We hope to release the permanent fix for these issues soon. In the meantime, customers who follow the guidance above should not be affected.

If you have any questions please let us know.

 

 

Thank you,

Raman Sharma
Microsoft Visual C++ Team

  • Thanks for this update - also just so we're clear, it doesn't address the fact that there are bugs in the code even for non-Windows 2000 platforms - see

    tedwvc.wordpress.com/.../fixing-problems-with-findactctxsectionstring-in-mfc-security-updates

    for two of them (see code where I reference bugs #2 and #3), and

    blog.m-ri.de/.../bug-black-patchday-for-all-os-from-xp-and-later-3-mfc-8-0-vc-2005-or-mfc-9-0-vc-2008-linked-dynamically-to-the-mfc-may-not-find-the-mfc-language-dlls-after-installation-of-the-security-packs-d

    for more details on bug #2

    as well as an interesting difference with the added LoadLibraryEx call between the 2005 and 2008 version of the fix - the 2005 one (but not 2008) calls using LOAD_LIBRARY_AS_DATAFILE which is forbidden on old platforms for this reason:

    blogs.msdn.com/.../477802.aspx

  • I have Visual Studio 2008 installed on a build machine. I have performed the following

    3.Under the “Visual Studio 2008” product node, there should be a KB2465361 entry. Select and uninstall.

    4.Uninstall “Microsoft Visual C++ Runtimes for x86”

    5.Uninstall “Microsoft Visual C++ Runtimes for x64”

    No luck with the deliverables built after uninstalling these. The exes built were still pointing to the msvcp90.dll version 9.0.30729.5570

  • Solution "Windows 2000 users with “Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package" does not work for KB2467175. Still receiving findactctxsectionstringw errors for VMWare tools & users.

  • Allan, try instructions below (you have to manually copy the old ones, contrary to what Microsoft says above)

    tedwvc.wordpress.com/.../new-redists-break-all-dynamically-linked-mfc-20052008-apps-on-windows-2000

  • Thanks Ted. Your fix worked great. Several calls to Microsoft had only provided frustration as their attitude seemed to be that old software deserved to be broken even if their "Approved" updates were responsible for the problem.  

  • Hello,

    you wrote that you already test fix for problems ("Our team has identified the cause of these issues and is currently testing the fix").

    Please can you give us some estimation of when this fix will be released?

    Thanks,

    VViki

  • There is a new error C3861: 'AtlLoadSystemLibraryUsingFullPath': identifier not found error popup in the forums after this update. connect.microsoft.com/.../666237

Page 1 of 1 (7 items)