Sign in with Microsoft
Sign in or create an account.
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Applies to: Visual Studio 2010 Tools for Office Runtime that is included with Microsoft Office and Visual Studio 2022, 2019, 2017, 2015, and 2013.


This security update addresses a vulnerability in which an unauthenticated remote attacker can sign deployments of Visual Studio Tools for Office (VSTO) Add-ins without a valid code-signing certificate.

To learn more about the vulnerability, see CVE-2023-36897

Known issues for VSTO Add-ins


After you install KB5028244 for Windows 10, VSTO Add-ins that were deployed by using ClickOnce might begin to prompt you for installation even if the VSTO Add-in is already installed and marked as "trusted."


To mitigate the issue, see Windows 10, version 22H2 resolved issues or Windows 10, version 21H2 resolved issues.

Affected platforms

  • Client: Windows 10, version 22H2; Windows 10, version 21H2

  • Server: None

How to obtain and install the update

Note: The update will automatically configure VSTO to use the same language as your copy of Windows. If you need an additional language pack (for example, if your copy of Windows uses more than one language setting, or if you switch from one language setting to another after you install the VSTO runtime), you can find the language pack here.

This update is also available through the following methods:

- Updates for supported versions of Visual Studio 2022, 2019, and 2017

- Update channels for supported versions of Microsoft 365 Apps, Office 2021, and Office 2019

Method 1: Microsoft Download

The following file is available for download:

Download icon Download the hotfix package now.

Method 2: Microsoft Update Catalog

To get the standalone package for this update, go to the Microsoft Update Catalog website. 

More information


To apply this security update, you must have supported versions of Microsoft Visual Studio or supported versions of Microsoft Office installed.

Restart requirement

You do not have to restart the computer after you install the security update if the affected files are not being used at the time of installation. We recommend that you close Visual Studio and Microsoft Office before you install the security update.

Security update replacement information

This security update replaces previously released update KB3001652.

File hash information

File name

SHA256 hash



File information

File name

File version

File size








Installation verification

To verify that this security update is applied correctly, follow these steps: 

  1. Navigate to the following folder:


  2. Locate the folder whose name begins as "v4.0_10."

  3. Verify that the file version for Microsoft.VisualStudio.Tools.Applications.Hosting.dll is equal to or greater than 10.0.60910.00.

Information about protection and security

For more information, see the Visual Studio 2010 Tools for Office Runtime support policy.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!