Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Applies to: All Visual Studio 2015 Update 3 editions except Isolated and Integrated Shells 

Notice

In November 2020, the content of this article was updated to clarify the affected products, prerequisites, and restart requirements. Additionally, the update metadata in WSUS was revised to fix a Microsoft System Center Configuration Manager reporting bug.

Summary

An information disclosure vulnerability exists if Visual Studio incorrectly discloses limited contents of uninitialized memory while compiling program database (PDB) files. An attacker who exploits the vulnerability could view uninitialized memory from the computer that is used to compile a program database file.

To learn more about the vulnerability, see CVE-2018-1037.

How to obtain and install the update

Method 1: Microsoft Download

The following file is available for download:

DownloadDownload the hotfix package now.

Method 2: Microsoft Update Catalog

To get the standalone package for this update, go to the Microsoft Update Catalog website.

More information

Prerequisites

To apply this security update, you must have both Visual Studio 2015 Update 3 and the subsequent Cumulative Servicing Release KB 3165756 installed. Typically, KB 3165756 is installed automatically when you install Visual Studio 2015 Update 3. However, in some cases, you have to install the two packages separately.

Restart requirement

We recommend that you close Visual Studio 2015 before you install this security update. Otherwise, you may have to restart the computer after you apply this security update if a file that is being updated is open or in use by Visual Studio.

Security update replacement information

This security update doesn't replace other security updates.

Issues that are fixed in this security update

This security update addresses the PDB issue that is described in CVE-2018-1037, in which a PDB file may contain uninitialized heap content in a process that updates an existing PDB file, such as Mspdbsrv.exe. We strongly recommend that you use the updated PDBCopy tool to check every existing PDB that you intend to share or distribute.

Issues that are not fixed by this security update

If you're using the /DEBUG:fastlink linker option to build your projects or solutions and you're using Mspdbcmf.exe to convert linker-generated fastlink PDB files into full PDB files, the resulting full PDB files could also have this information-disclosure vulnerability. To obtain an update to Visual Studio 2015 Mspdbcmf.exe, go to this Knowledge Base article.

If you also use Visual Studio 2017, you can use the Mspdbcmf.exe file that is included in the latest Visual Studio 2017 preview or update to convert fastlink PDB files that are generated by the Visual Studio 2015 linker. (PDBs that are generated by the latest Visual Studio 2017 Mspdbcmf.exe file are not vulnerable.)

File hash information

File name

SHA1 hash

SHA256 hash

vs14-kb4087371.exe

DF129BA5448973FBD81471107E16C7D2E0199BB7

C452851427B185162E0FBF2FD62E2D5EF000BFB184A62D0C0FB273D4546F937E

Installation verification

To verify that this security update is applied correctly, follow these steps:

  1. Open the Visual Studio 2015 program folder.

  2. Locate the Mspdbcore.dll file.

  3. Verify that the file version is equal to or greater than 14.0.27534.

Information about protection, security, and support

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×