[German]A brief question for the administrators among the blog readers who manage updates with WSUS. Has the current version of the update KB2565063 (Microsoft Visual C++ 2010 SP1 Redistributable Package) been deployed on WSUS? Or did Microsoft simply forget about it or does not roll out security updates anymore?
Advertising
Visual C++ 2010 SP1 Update KB2565063
Update KB2565063 is the updated version of the Microsoft Visual C++ 2010 SP1 Redistributable Package. It is needed to run applications created with Visual Studio 2010 in Visual C++ on Windows. A security issue has recently been identified. This leads to a security vulnerability in MFC applications that were created with Visual Studio 2010 and contain the Microsoft Visual C++ 2010 Service Pack 1 Redistributable Package.
Microsoft has therefore released the Microsoft Visual C++ 2010 Service Pack 1 Redistributable Package MFC Security Update (Update KB2565063) on May 12, 2021. The package can be downloaded here.
And this makes things a bit opaque, because in the Microsoft Update Catalog there is only the April 4, 2012 version, which causes problems.
Advertising
Feedback from a WSUS administrator
Blog reader Markus K. emailed me with the following note about the problem (thanks for that).
I forward the following mail, because we noticed the thing because of software we have to use, but also only when the software could not be installed anymore, because a corresponding vclib was not available.
Markus refers to a discussion in the patchmanagement.org mailing list where an administrator raises the whole thing in the following comment.
Hi all,
maybe someone can enlighten me:
- WSUS Server 2019 has KB2565063 which was released March 2012 which seems a bit old.
- My search finds the MS-page with a pretty new publishing date (5/12/2021).
Looks to me like the package gets updated on the Website but not on WSUS which leaves me with a big question-mark over my head how to get this mess sorted out. How do I stay patched?
Markus K. wrote:
The corresponding C++ KB2565063 is of course released on WSUS, which is why I didn't think anything bad about it.
Can it really be that Microsoft forgot the stuff at WSUS (I honestly didn't check against WindowsUpdate (MS-Update)), or have I successfully overlooked so far that the deployment of the patches at WSUS have been stopped?
I'm just putting this out there now since I don't know the answer. Since the update in the Microsoft Update Catalog is also an ancient version, I assume that Microsoft simply stopped distributing the update via Windows Update and WSUS. Some discussion may be found within my German blog. Does anyone know more about this?
Similar articles:
Vulnerabilities in Microsoft Visual C++ Runtime
I am not seeing it in WSUS, but then I haven't seen 1809 ( for LTSC) patches in WSUS since April either -Server 2012 R2
KB2565063 is indeed dates 2011.
MS re-signed the same package with SHA-256 instead of SHA-1 in May 2021.
Within the German blog there are some comments, that the SHA-2 signing has been already made a few years before. The size of the packages are also different – and Microsoft wrote about a security issue within it's KB article. Confusion at all …