The problem with C++ Redists & 3rd Party security patches – III

[German]In parts 1 and 2 of the article series, I picked up a hint from blog reader Karl (al Qamar) about a problem related to security updates for the Visual C++ runtime libraries (redistributables). In part 3 I sketch another solution and publish a Q & A list of Karl on the topic.


The solution: All-In-One Runtime from third party vendors

To get out of the problem, you need a tool that uninstalls the old Visual C++ runtime libraries. Karl wrote:

There is a solution for this problem – the All in One Runtimes 2.4.x from Patrick Kuhnke.

It is recommended to restart the program, as redist-files will be replaced during restart if necessary.

This tool, which I also contributed to at a later date, uninstalls all outdated C++ Redists versions 2005, 2008, 2010, 2010, 2012, 2013 and 2015 and installs the current, currently released and secure versions.

The tool can then be used to install the old runtime environments de- and the current runtime environments. A short description can be found on the website and here and here.

Questions & Answers (Q&A)

Q: Why should I update the C++ Redists at all, everything is running?

A: Because almost all programs running under Windows access it and are vulnerable to buffer overflows or other programmatic attacks.


Q: Some programs install old C++ Redists although a newer version already exists. Will that protect me?

A: No, MS has failed to provide effective protection against overwriting and side-by-side installations until C++ 2013. Unfortunately some programs do not use the Redists provided in Windows but keep them in their own program directory. But I wouldn’t go so far as to replace them. However, these components are not expected to be patched by the software vendor (similar to OpenSSL).

Q: Why is there even this side-by-side installation?

A: The idea was (some sources told me, which was not used effectively), to give the developers the opportunity to test new releases of the C++ Redists more easily for possible problems.

Q: Are there any problems when updating the old versions?

A: I’m not aware of any known issue related to the update itself.
Even antiquated medical programs, where programmers give little thought to such things, were still functional in productive environments. Even special software such as Datev or Adobe did not cause any interference. Extremely rarely problems can occur if the side-by-side store (WinSxS) is defective. But then the manual uninstallation and re-installation of the affected C++ Redists helped.

Q: Are there are separate redists for each C++ release?

A: Basically, yes. The C++ 2015 Redists have now been replaced by C++ 2017. But this is a novelty.

Q: Why do we need old C++ 2005 Redists, if there are already C++ 2017 Redists available?

A: It’s like NET. NET 2.0-3.5 is required for old applications compiled with this framework.

While you can use. NET 4.0-4.7 together.  With the C++ Redists it is exactly the same, depending on which C++ Visual Studio was used to compile the application, you need the appropriate runtimes.

Q: I always see in programs and features at least 2 entries, x86 and x64. Is that correct?

A: Yes, even if you are using an x64 bit OS, a program in question can still be compiled in 32bit (x86).

Q: What do I do if there are several Redists with different versions?

A: Uninstall the old versions, or run the tool. If the tool leaves old version entries (can occur rarely), they should be uninstalled manually.

Q: On servers there are not only the Redists but also some other C++ runtimes. Is this the same?

A: No, these runtimes contain an extended range of functions and are much larger. Often with SQL Server or Exchange. However, the versioning principle is the same.

Q: Why doesn’t MS manage the “chaos” itself? 

A: Good question! Although there has been a version check since 2013, it is still sometimes the case that C++ 2013 / 2015 will install, although a newer version is already installed.

Q: The following message appears during uninstallation: Error code 0x01

A: This is not bad, if the program does not find a version, for example, it will misinterpret the error level of the batch file.

Q: What does a “correct” installation currently look like?

A: Here is the list of modules.

Visual C++ Redistributables
(Click to zoom)

Article series:
The problem with C++ Redists & 3rd Party security patches – I
The problem with C++ Redists & 3rd Party security patches – II
The problem with C++ Redists & 3rd Party security patches – III

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Update, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *