Applies to: Visual Studio 2010 Tools for Office Runtime that is included with Microsoft Office and Visual Studio 2022, 2019, 2017, 2015, and 2013.
Summary
This security update addresses a vulnerability in which an unauthenticated remote attacker can sign deployments of Visual Studio Tools for Office (VSTO) Add-ins without a valid code-signing certificate.
To learn more about the vulnerability, see CVE-2023-36897.
Known issues for VSTO Add-ins
Symptom
After you install KB5028244 for Windows 10, VSTO Add-ins that were deployed by using ClickOnce might begin to prompt you for installation even if the VSTO Add-in is already installed and marked as "trusted."
Resolution
To mitigate the issue, see Windows 10, version 22H2 resolved issues or Windows 10, version 21H2 resolved issues.
Affected platforms
-
Client: Windows 10, version 22H2; Windows 10, version 21H2
-
Server: None
How to obtain and install the update
Note: The update will automatically configure VSTO to use the same language as your copy of Windows. If you need an additional language pack (for example, if your copy of Windows uses more than one language setting, or if you switch from one language setting to another after you install the VSTO runtime), you can find the language pack here. This update is also available through the following methods: - Updates for supported versions of Visual Studio 2022, 2019, and 2017 - Update channels for supported versions of Microsoft 365 Apps, Office 2021, and Office 2019
Method 1: Microsoft Download
The following file is available for download:
Method 2: Microsoft Update Catalog
To get the standalone package for this update, go to the Microsoft Update Catalog website.
More information
Prerequisites
To apply this security update, you must have supported versions of Microsoft Visual Studio or supported versions of Microsoft Office installed.
Restart requirement
You do not have to restart the computer after you install the security update if the affected files are not being used at the time of installation. We recommend that you close Visual Studio and Microsoft Office before you install the security update.
Security update replacement information
This security update replaces previously released update KB3001652.
File hash information
File name |
SHA256 hash |
---|---|
vstor_redist_e7a2976ca89418fd18158d4799cdf9493deedc2c.exe |
9511042EABB4123827D1799154B9B2754C8509CA742D4E1AEA919084563F0B1E |
File information
File name |
File version |
File size |
Date |
Time |
---|---|---|---|---|
vstor_redist_e7a2976ca89418fd18158d4799cdf9493deedc2c.exe |
10.0.60910.00 |
41,649,696 |
3-Jul-23 |
08:38 |
Installation verification
To verify that this security update is applied correctly, follow these steps:
-
Navigate to the following folder:
Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Hosting -
Locate the folder whose name begins as "v4.0_10."
-
Verify that the file version for Microsoft.VisualStudio.Tools.Applications.Hosting.dll is equal to or greater than 10.0.60910.00.
Information about protection and security
-
Protect yourself online: Windows Security support
-
Learn how we guard against cyber threats: Microsoft Security
For more information, see the Visual Studio 2010 Tools for Office Runtime support policy.