Updated hotfixes for Visual Studio vulnerability (CVE-2018-1037)

khc · May 15, 2020, 3:02am

Microsoft has updated the hotfix packages for addressing Visual Studio vulnerability (CVE-2018-1037). Since then some computers which were not applicable to the original version in 2018 have become applicable to the revised version.

I believe the following fixlets in Patches for Windows site need to be reviewed and possibly updated:

408737101 MS18-APR: Security update for the information disclosure vulnerability - Visual Studio 2015 Update 3 - KB4087371
408928301 MS18-APR: Update for Microsoft Visual Studio 2013 Update 5 - Visual Studio 2013 - KB4089283
408950102 MS18-APR: Security update for the information disclosure vulnerability - Visual Studio 2012 Update 5 - KB4089501
409134601 MS18-APR: Security update for the information disclosure vulnerability - Visual Studio 2010 SP1 - KB4091346

References from Microsoft:

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1037
https://support.microsoft.com/kb/4091346
https://support.microsoft.com/kb/4089501
https://support.microsoft.com/kb/4089283
https://support.microsoft.com/kb/4087371

bma · May 15, 2020, 7:44pm

KB4087371 is the only one that has an updated patch binary. I’ll ask the team to take a look at this one.

The patches for all of the others listed are exactly the same. The verbiage in the KB article is only saying these are being distributed to more OSes via Microsoft Updates. The BigFix fixlets for these are not restricted by OS so the updated distribution of the update to more operating systems has no impact to the existing fixlets.