Lucene search

K
mskbMicrosoftKB4571481
HistorySep 08, 2020 - 7:00 a.m.

Description of the security update for the remote code execution vulnerability in Microsoft Visual Studio 2015 Update 3: September 8, 2020

2020-09-0807:00:00
Microsoft
support.microsoft.com
52

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8 High

AI Score

Confidence

High

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

Description of the security update for the remote code execution vulnerability in Microsoft Visual Studio 2015 Update 3: September 8, 2020

Applies to: All Visual Studio 2015 Update 3 editions except Isolated and Integrated Shells, Build Tools, Remote Tools, and Express for Web

NoticeIn November 2020, the content of this article was updated to clarify the affected products, prerequisites, and restart requirements. Additionally, the update metadata in WSUS was revised to fix a Microsoft System Center Configuration Manager reporting bug.

Summary

A remote code execution vulnerability exists in Microsoft Visual Studio 2015 when it incorrectly handles objects in memory.To learn more about the vulnerability, see CVE-2020-16874 and CVE-2020-16856.

How to obtain and install the update

Visual Studio 2015 Update 3

Method 1: Microsoft Download

The following file is available for download:DownloadDownload the hotfix package now.

Method 2: Microsoft Update Catalog

To get the standalone package for this update, go to the Microsoft Update Catalog website.

More information

Prerequisites

To apply this security update, you must have both Visual Studio 2015 Update 3 and the subsequent Cumulative Servicing Release KB 3165756 installed. Typically, KB 3165756 is installed automatically when you install Visual Studio 2015 Update 3. However, in some cases, you have to install the two packages separately.

Restart requirement

We recommend that you close Visual Studio 2015 before you install this security update. Otherwise, you may have to restart the computer after you apply this security update if a file that is being updated is open or in use by Visual Studio.

Security update replacement information

This security update doesn’t replace other security updates.

File hash information

File name SHA1 hash SHA256 hash
vs14-kb4571481.exe 4C12ABEE43A0549C56DE8DCF31D7B7BE5C3AE035 9B31156D77CFEBCB85C50959FC649CA37FDB9584E5A805AAEC80EBD82FE4EA7C

Installation verification

To verify that this security update is applied correctly, follow these steps:

  1. Open the Visual Studio 2015 program folder.
  2. Locate the Dxtex.dll file in the Microsoft Visual Studio 14.0\Common7\IDE\Extensions\Microsoft\VsGraphics folder.
  3. Verify that the file version is equal to or greater than 14.0.27543.0.
    If you elected to install the optional component (Windows 8.1 and Windows Phone 8.0/8.1 Tools), follow these additional steps:
  4. Locate the Dxtex.dll file in the Microsoft Visual Studio 12.0\Common7\IDE\Extensions\Microsoft\VsGraphics folder.
  5. Verify that the file version is equal to or greater than 12.0.40689.0.
  6. Locate the Dxtex.dll file in the Microsoft Visual Studio 11.0\Common7\IDE\Extensions\Microsoft\VsGraphics folder.
  7. Verify that the file version is equal to or greater than 11.0.61246.400.

Information about protection, security, and support

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8 High

AI Score

Confidence

High

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C