Starting on March 10, 2020, Microsoft Update is now offering this security update to additional versions of Windows. On May 12, 2020, improvements were released to both the installer and the offering method for this update on Microsoft Update. These improvements make sure that this update is offered to and installed correctly on all appropriate configurations.
To learn more about the vulnerability, see CVE-2018-1037.
To apply this security update, you must have Visual Studio 2015 Update 3 installed.
You may have to restart the computer after you apply this security update if an instance of Visual Studio is being used.
Security update replacement information
This security update doesn't replace other security updates.
Issues that are fixed in this security update
This security update addresses the PDB issue that is described in CVE-2018-1037, in which a PDB file may contain uninitialized heap content in a process that updates an existing PDB file, such as mspdbsrv.exe. We strongly recommend that you use the updated PDBCopy tool to check every existing PDB that you intend to share or distribute.
Issues that are not fixed by this security update
If you're using the /DEBUG:fastlink linker option to build your projects or solutions and you're using mspdbcmf.exe to convert linker-generated fastlink PDB files into full PDB files, the resulting full PDB files could also have this information-disclosure vulnerability. To obtain an update to Visual Studio 2015 mspdbcmf.exe, go to this Knowledge Base article.
If you also use Visual Studio 2017, you can use the mspdbcmf.exe that is included in the latest Visual Studio 2017 preview or update to convert fastlink PDB files that are generated by the Visual Studio 2015 linker. (PDBs generated by the latest Visual Studio 2017 mspdbcmf.exe are not vulnerable.)