Visual Studio 2013 redistributable vulnerability patch KB5016315 won't install

Michał Tomaszewski 20 Reputation points
2023-04-20T12:56:05.34+00:00

Hello. I will start off with clarifying that I am not experienced in windows programming and managing its libraries and such, so please forgive me if I miss something elementary here. Anyways, at my work we use some older software, that requires Microsoft Visual C++  2013 Redist., in Version 12.0.40660. It was lately discovered that there seems to be a known vulnerability described here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35777 Since upgrading to versions higher than 2013 would require a lot of rework, we would like to first see if we can avoid doing that for now. The patch file is described to update the version to 12.0.40699.0. On other hand, it would be most convenient for me to simply use latest, patched redistributable .exe file in our installer, but it seems like the newest available version to download is in version 12.0.40664.0(So by looking at those numbers I assume the vulnerability is still there? I am unable to find any specifics regarding it). Therefore, I have few questions that i hope would clarify mu understanding of the issue:

  1. If I understand it correctly, there is no published, ready to use vcredist_x86.exe file with this vulnerability patched, therefore I would need to first install the newest version (or 12.0.40660 as it was before), and then apply the patch to bump version to 12.0.40699.0
  2. Is there any way to get/generate single .exe file to use in our system?
  3. Most important issue: I tried running KB5016315 patch on my system(win11) on both 12.0.40660 and 12.0.40664.0, and in both cases it was not successful, with error: "KB5016315 does not apply, or is blocked by another condition on your computer." logfile does not seem to be very helpful to me. Any ideas why that might be? Is it because I am running only redistributable? Is there something that I am missing? Any help or tips would be greatly appreciated, as I am quite confused with all the behavior I am getting here.
Developer technologies | Visual Studio | Setup
Developer technologies | Visual Studio | Other
0 comments No comments
{count} votes

Accepted answer
  1. Tianyu Sun-MSFT 34,446 Reputation points Microsoft External Staff
    2023-04-21T08:02:00.5433333+00:00

    Hello @Michał Tomaszewski,

    Welcome to Microsoft Q&A forum.

    For your first question, yes, they are different patches/packages, and you need to install both, for security update(vulnerability patch) and for Microsoft C and C++ (MSVC) runtime libraries(Visual C++ Redistributable).

    For your second question, if you mean merging these two setup .exe files into one .exe file, then maybe there are some tools which may meet your requirements, but normally, they are installed separately.

    For you third question, the KB5016315 patch needs some prerequisites, like mentioned here: Prerequisites => To apply this security update, you must have Visual Studio 2013 Update 5 installed. Please first confirm that you have VS 2013 Update 5 installed.


    Update 1:

    Actually, there are four packages/products mentioned here:

    1. Visual Studio 2013 Update 5(Update package)
    2. Visual Studio 2013 with Update 5(VS 2013 + Update 5)
    3. KB5016315(Security Update package for VS 2013 Update 5)
    4. Visual C++ 2013 Redistributable package(C++ Redistributable package)

    They are different.

    To install KB5016315, you must have VS 2013 Update 5 installed, as it is applied to VS 2013 Update 5(document: Prerequisites).

    To install VS 2013 Update 5, you need to have VS 2013 installed, as it is for VS 2013.

    About Visual C++ 2013 Redistributable package, it is a separate C++ Redistributable package, and can be installed standalone.

    So when I directly look for "visual c++ 2013 update 5 download" in search engine, I get pointed to exactly …

    You can download and install VS 2013 Update 5 from here: VS 2013 Update 5. They are not the same, "Visual C++ Redistributable for Visual Studio 2013" is listed here: Visual C++ Redistributable for Visual Studio 2013.

    But again, patch does nothing.

    The KB5016315.exe(setup file) is 12.0.40699.0(File version)/12.0.40699(Product version).

    It is for Visual Studio 2013 Update 5, not for Visual C++ 2013 Redistributable package. The version you checked will not change from 12.0.40660 to 12.0.40699, and the latest version of Visual C++ 2013 Redistributable package is 12.0.40664.0(x86, x64). So the highest version number of Visual C++ 2013 Redistributable package is 12.0.40664.0(x86, x64)(document: Visual Studio 2013 VC++ 12.0).

    Summary

    If you just want to update the Visual C++ Redistributable package to 12.0.40664, you just need to download and install the latest one from here: Visual Studio 2013 VC++ 12.0. The version number will be changed after you install the latest version of Visual C++ Redistributable package.

    If you want to install the security patch, just download and run it. If there’s no error prompts, and the dialog prompts you that it is installed successfully then you can confirm that it has been installed successfully.

    Sincerely,

    Tianyu


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.