[English]A brief information about C++ runtime libraries and their distribution as redistribution packages with all problems of a side-by-side installation with different versions. Microsoft has responded to criticism in Visual C ++ 2019 Redistributable and uses the same files as for VC++ 2015/2017.
Some background details
Most programs require runtime libraries to run. With Visual C++ this is the redistributables (runtime libraries) that are installed with the respective application. If VC++Runtime libraries are updated by security updates, Windows installs them in most cases side-by-side.
Why the runtime libraries are installed side-by-side is explained in the German blog post Windows 7/8.1/10: Fehler Side-by-Side-Konfiguration ungültig, but in an other context.
In short: Runtime libraries are stored centrally so that the applications do not have to install the same DLLs separately into program folders each time. You can save storage space by sharing the libraries.
The problem: If two applications use different versions of a runtime library, conflicts would arise if the last application installed simply overwrote the existing runtime files. This would cause a conflict when installing the application, formerly known as “DLL hell”.
To avoid this problem elegantly, the Side by Side configuration was introduced in the WinSxS folder (Windows component store). When installing an application, the runtime libraries, DLLs, and other resources are stored in a separate subfolder of the WinSxS folder. This prevents multiple files from interfering with each other at the same time. Further insides can be found in the mentioned blog post.
In practice, however, this leads to a variety of problems – including the unsafe, patched versions that end up on a computer via software and updates. I had addressed this, with the help of blog reader Karl, in a series of articles (The problem with C++ Redists & 3rd Party security patches – I). We had also brought this to Microsoft.
Runtime for VC++ 2019 with V2015/2017
That seems to have been fruitfull at the end of the day. Blog reader Karl informed me yesterday on Twitter about a change that Microsoft is introducing with the Runtime for VC++ 2019.
All that care to manage C++ redists MS has released C++ 2019 which will include and replace 2015 and 2017.
Great work as this finally ends the side by side installation of outdated redists by software. All in one Runtimes isn’t yet updated.@ComputerBase
— al Qamar (Karl) (@tweet_alqamar) 20. Juni 2019
If you have to take care of the administration of VC ++ redistributables, you get relief now (if Microsoft does its job correctly – you have to wait and see). In the newly released runtime environment for C++ 2019, the redistributable of VC++ 2015 and VC++ 2017 is included, according to the tweet above. Microsoft published this KB article at the end of May 2019. Quote from the article:
Note Visual C++ 2015, 2017 and 2019 all share the same redistributable files.
For example, installing the Visual C++ 2019 redistributable will affect programs built with Visual C++ 2015 and 2017 also. However, installing the Visual C++ 2015 redistributable will not replace the newer versions of the files installed by the Visual C++ 2017 and 2019 redistributables.
This is different from all previous Visual C++ versions, as they each had their own distinct runtime files, not shared with other versions.
This means that you no longer has to worry about these last two versions. But nothing changes with the runtime libraries of VC ++ 2013 or earlier. In a personal mail Karl informed me about the following:
By the way, the change has been around since C++ 2017 (14.10 / 14.16), which replaces C++ 2015 (14.0) for the first time in history.
In practice, however, there were problems with some programs compiled with 2015. However, there was another update for the 2017 Runtimes and now the 2019 (14.21) I will roll them out soon at the customer with the problems and see if there are then fewer problems. It was a novelty for me that with newer runtimes there is “stress” at all. Probably bad code.
Especially in 2013 or older it comes to applications or games (Steam) again and again replaced runtimes. But the problem will probably fade away itself in time if you only use new applications. 2005 are probably already out of support and 2008 I think. Which doesn’t mean that I wouldn’t install them anymore.
It’s always better to install the last current runtimes than none at all, which then causes even older installations – depending on how they have programmed their installer checks – so the same or newer: leave / older: install side by side.
Karl also points out that since C++ 2008 there are no more updates for C++ via Windows Update / WSUS. He also writes:
Windows Update for Business patches only Windows components anyway. So C++ would be 3rd party software. Up today, obsolete C++ 2005, 2008 and 2012 redists are distributed via the Microsoft download pages and Windows Update. At least older than the ones available at my.visualstudio.com or via Patrick Kuhnke AIO runtimes. I don’t think anybody wants to care about it anymore and they let it fade out like that.
Karl then posted some screenshots on Twitter, what a cleaned system should look like..
This is how it should look like in with a cleaned / secure environment (AIO Runtime 2.4.8 C++ & C++ 2019) AIO will remove insecure C++ redists as Windows Update still won’t update them correctly. some of the updates here are outdated, too.https://t.co/BIIBbV8RsV pic.twitter.com/G39J2RzmQ3
— al Qamar (Karl) (@tweet_alqamar) 20. Juni 2019
The abbreviation AIO stands for All in One Runtime, which is maintained by Patrick Kuhnke. That’s what I wrote in my blog post The problem with C++ Redists & 3rd Party security patches – III with Karl’s support.
The problem with C++ Redists & 3rd Party security patches – I
The problem with C++ Redists & 3rd Party security patches – II
The problem with C++ Redists & 3rd Party security patches – III
Citrix Workspace-App comes w/o VC++ Runtime from V1904
Vulnerabilities in Microsoft Visual C++ Runtime