Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security update KB2533623 no longer available #20459

Closed
florenzen opened this issue Sep 4, 2020 · 41 comments · Fixed by #22264
Closed

Security update KB2533623 no longer available #20459

florenzen opened this issue Sep 4, 2020 · 41 comments · Fixed by #22264
Labels
install-deployment/subsvc Pri1 High priority, do before Pri2 and Pri3 product-feedback Indicates issues that are related to product issues, not docs [org][type][category]

Comments

@florenzen
Copy link

florenzen commented Sep 4, 2020

The security update KB2533623 is no longer available for download from Microsoft. Does that mean a .NET Core Installation on Windows 7 is not possible anymore?

I know, Windows 7 is out of support but there is also Windows Embedded Standard which is based in that version and which still has support in industrial applications.


Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

@adegeo
Copy link
Contributor

adegeo commented Sep 4, 2020

I'll ask around 😢

@adegeo adegeo added doc-bug Problem with the content; needs to be fixed [org][type][category] P1 product-feedback Indicates issues that are related to product issues, not docs [org][type][category] and removed ⌚ Not Triaged Not triaged doc-bug Problem with the content; needs to be fixed [org][type][category] labels Sep 4, 2020
@adegeo
Copy link
Contributor

adegeo commented Sep 4, 2020

@florenzen The download is restored. Thank you for reporting it!

@adegeo adegeo closed this as completed Sep 4, 2020
@adegeo
Copy link
Contributor

adegeo commented Sep 7, 2020

Download is gone again.. Or I was mistaken when I thought it was restored. Reopening.

@adegeo adegeo reopened this Sep 7, 2020
@adegeo
Copy link
Contributor

adegeo commented Sep 9, 2020

Seems to be there again.... hrm

@adegeo adegeo closed this as completed Sep 9, 2020
@florenzen
Copy link
Author

I am not able to download the msu file. When I click on the link for the Windows6.1-KB2533623-x86.msu (pointing to http://www.microsoft.com/download/details.aspx?familyid=c79c41b0-fbfb-4d61-b5d8-cadbe184b9fc) file on https://support.microsoft.com/en-us/help/2533623/microsoft-security-advisory-insecure-library-loading-could-allow-remot I the page I get "We're sorry, this download is no longer available."

However, I accidentally found the following reddit thread: https://www.reddit.com/r/windows/comments/ik7sp7/does_anybody_have_the_kb2533623_update_for/

The thread claims that KB2533623 is superseded by KB3063858 or KB4457144. As a test, I installed KB4457144 from https://www.catalog.update.microsoft.com/Search.aspx?q=KB4457144 and .NET 5 Preview 8 worked for me on Windows 7. (I did not check KB3063858.)

I had the link for the update from https://docs.microsoft.com/en-us/dotnet/core/install/windows?tabs=netcore31 since I did not find an equivalent page for .NET 5 Preview 8. Perhaps, the documentation could be updated to point to KB4457144.

@adegeo adegeo reopened this Sep 9, 2020
@adegeo
Copy link
Contributor

adegeo commented Sep 9, 2020

Ahhh the link inside of the link! Thank you for the clarification.

To note for .NET 5, I doubt it will be officially supported on Win 7, and wouldn't be documented as such here. Core 3.1 was released while Win 7 was in extended support, but that ended in January. Considering .NET 5 is yet to be released, I don't think they would guarantee that it works on Win 7.
EDIT: The release notes for supported OS on .NET 5 indicates it's supported.

https://github.com/dotnet/core/tree/master/release-notes/5.0

@florenzen
Copy link
Author

Thanks for the clarification wrt. the Windows 7 support period. There are still Windows Embedded Standard 7 Systems running in e. g. industrial systems that still receive (paid) support, which is the kind of system we are working with. Is there any chance to get a statement from the .NET development wrt. to that kind of Installation? Anyone I could ask?

@adegeo
Copy link
Contributor

adegeo commented Sep 9, 2020

You could try filing an issue at the source repo for .NET: https://github.com/dotnet/core/issues they would hopefully be able to get you some sort of information. If that doesn't work after some time, hit me up again and I'll see if I can find someone.

@OraDotNetDev
Copy link

OraDotNetDev commented Sep 30, 2020

Hi @adegeo

I was wondering you might be able to get any further information, there's not been any conclusion to the issue @florenzen raised for this on the .Net Core repo?

Thanks

ODN

@adegeo
Copy link
Contributor

adegeo commented Sep 30, 2020

Thanks for the ping. I'll send out another email internally.

@adegeo
Copy link
Contributor

adegeo commented Sep 30, 2020

Has anyone tested installing KB4457144 as a replacement for KB2533623 on Win7?

@jberezanski
Copy link

I have tested KB3063858, which is a tiny update (as opposed to KB4457144 - a full monthly rollup), and it does make .NET Core 3.1 work correctly. Once KB3063858 and updated KB2533623 Chocolatey packages pass moderation, .NET Core will again be installable (runtime, sdk, windowshosting) with Chocolatey on Windows 7/2008 R2.

@doghappy
Copy link

KB3063858 fixed the problem for me!

32-bit: https://www.microsoft.com/en-us/download/details.aspx?id=47409
64-bit: https://www.microsoft.com/en-us/download/details.aspx?id=47442

—— https://www.reddit.com/r/windows/comments/ik7sp7/does_anybody_have_the_kb2533623_update_for/

@bairog
Copy link

bairog commented Nov 24, 2020

Same here! KB2533623 liks are broken, but still mentioned as a .NET Core 3.1/.NET 5 necessary dependency.
I will test KB3063858 (links are ok) tomorrow - but it is NOT mentioned as .NET Core 3.1/.NET 5 dependency
P. S. @adegeo - you've closed my issue #21706 as duplicate. What steps are going to be performed to fix existing problem - fixing KB2533623 broken links or correcting description at .NET Core 3.1/.NET 5 dependencies page? What is estimated timeframe?
Thank you.

@elGuille-info
Copy link

elGuille-info commented Dec 2, 2020 via email

@bairog
Copy link

bairog commented Dec 22, 2020

@adegeo
Today we again performed a test on our clean Windows 7 SP1 x86 (without any updates installed):
image
image
Latest .NET Desktop Runtime 5.0.1 (windowsdesktop-runtime-5.0.1-win-x86.exe) installs without any problems.
But when we run our .NET 5.0 test applications (console/WinForms x86) - we get an error:

The program can't start because api-ms-win-crt-runtime-l1-1-0.dll is missing from your computer. Try reinstalling the program to fix this problem.

image

The main difference is that neither KB2533623 (from Web Archive) nor KB3063858 solves the problem this time.
The only working solution was installing KB2999226 (very strange because it is a prerequisite for .NET Framework 4.8 offline installer) and after that installing KB2533623 or KB3063858 (no matter which one).
Investigate this problem ASAP please.

P. S. Some of our customers have PCs isolated from Internet/WSUS - so we are to include KB patches in our software installer.

@adegeo
Copy link
Contributor

adegeo commented Dec 22, 2020

@bairog Thank you very much for this information, I'll pass it on to the team!

@Avispa
Copy link

Avispa commented Jan 3, 2021

I can confirm that the security update is still not available.

@bairog Thank you very much for this information, I'll pass it on to the team!

@adegeo Don't pass it anywhere, just re-upload the file or fix the link.

In case you lost it, you can download it from web.archive.org. Maybe consider to make a big donation to the Internet Archive since they manage to to keep your security patches available and by that de facto handle Microsoft's customer service too. So I think they deserve some appreciation.

missing-security-update-KB2533623 small

Side note: your dots below the blue helicopter don't scale consistently in different resolutions as seen in the screen shot. Upon interpretation the helicopter appears to pick up the wrong dot or straight lost it. Kinda ironic.

@adegeo adegeo added Pri1 High priority, do before Pri2 and Pri3 and removed P1 Pri2 labels Jan 5, 2021
@adegeo
Copy link
Contributor

adegeo commented Jan 5, 2021

I got some clarifications on what has happened. The old patches were removed because they are all signed with SHA-1 certificates, which are no longer secure due to shatter attacks. Microsoft as a whole has moved on to at least SHA-256 security and thus there was a company-wide effort to remove SHA-1 stuff.

However, there are newer patches which have been reported as including the fixes required to install .NET on Windows 7: https://www.catalog.update.microsoft.com/Search.aspx?q=kb4534310

@bairog would you be able to confirm this fixes your problem (if you have an easy test environment) I'm going to work on creating a test environment but it would be good to hear from you.

Cheers!

@bairog
Copy link

bairog commented Jan 6, 2021

@adegeo

@bairog would you be able to confirm this fixes your problem (if you have an easy test environment) I'm going to work on creating a test environment but it would be good to hear from you.

I've performed a test on our clean Windows 7 SP1 x86 (without any updates installed). Installing KB4534310 update results in error:
Virtual-Box-Windows-7-SP1-x86-06-01-2021-14-03-32
UPDATE I had same error message before (when installing .NET Framework 4.8 on clean Windows7 SP1 x86).
Than time I've solved the problem by installing MicrosoftRootCertificateAuthority2011.cer (more info at StackOveflow).
But even installing that certificate is not enough for KB4534310 update. So the problem is still here.

P.S. Even if you find a way to install KB4534310 update and this update makes our our .NET 5.0 test applications (console/WinForms x86) work correctly - that is hardly suitable for us. KB4534310 update is a full monthly rollup (size for Windows 7 SP1 x86 is 204Mb). Including an update that is more than 2 times bigger than our software installer itself (it is less than 100Mb) - is a nonsence.
But we are to include KB patches in our software installer because some of our customers have PCs isolated from Internet/WSUS.
Hope you will a smaller separate update (1-5Mb) that will make .NET 5 work on clean Windows 7 SP1 x86.
Good luck.

@adegeo
Copy link
Contributor

adegeo commented Jan 7, 2021

@bairog Thank you for testing and giving me some results. I was able to spin up a test machine today too, a clean Win 7 x64 SP1 from the Visual Studio downloads. I also had that same error on some files but I fixed it by unblocking it in the file properties, was that not the source of the problem?

Your requirement of having a small footprint for distribution is noted. I'm passing that info and this post on to the team. I was able to boil down and confirm that these steps worked for me. I don't know though if windows update installed something behind me that may have contributed to its success:

  1. Microsoft Visual C++ 2015 Redistributable Update 3
  2. KB3063858 32-bit / 64-bit

I'm going to do another test networkless and make sure it works.
I validated on a connectionless VM that installing those two downloads worked, even with a .NET 5 WinForms project. I only tested with .NET 5. I think they said they improved things for .NET 5 so I'll have to test with 3.1 to see if that works too.

@bairog
Copy link

bairog commented Jan 7, 2021

@adegeo
I can confirm that installing the following:

  1. Microsoft Visual C++ 2015 Redistributable Update 3
  2. KB3063858 32-bit / 64-bit

makes our .NET 5.0 test applications (console/WinForms x86) work correctly.

I can also confirm that Microsoft Visual C++ 2015-2019 Redistributable 32-bit / 64-bit can be used instead of Microsoft Visual C++ 2015 Redistributable Update 3.
It is already included in our software installer (part of our modules are C++) - so we need only include KB3063858 update (905Kb).
Great job!

P.S. Don't forget to change KB2533623 to KB3063858 and make some comments about Microsoft Visual C++ 2015-2019 Redistributable on .NET Core 3.1/.NET 5 necessary dependency page ASAP. Thank you.

@adegeo
Copy link
Contributor

adegeo commented Jan 7, 2021

Thanks for the additional information. I cannot get the installers for 2.1 working though so I'm investigating that. Regardless, I'll get this page updated with this information by tomorrow. Thanks again!

@bairog
Copy link

bairog commented Jan 7, 2021

I cannot get the installers for 2.1 working though so I'm investigating that.

What exactly do you mean? .NET Core 2.1 or what?

@adegeo
Copy link
Contributor

adegeo commented Jan 7, 2021

Correct. I just fixed that though. The .NET Core 2.1 installer requires the certificate you linked to. Core 3.1 and .NET 5 don't require the certificate.

@bairog
Copy link

bairog commented Jan 8, 2021

The .NET Core 2.1 installer requires the certificate you linked to.

NB To fully automate MicrosoftRootCertificateAuthority2011.cer certificate installation process (e. g. inside software installers) Certificate Manager (certmgr.exe) can be used to add the certificate via admin command prompt (more info at StackOverflow):

certmgr.exe /add MicrosoftRootCertificateAuthority2011.cer /s /r localMachine root

P. S. The Certificate Manager utility is automatically installed with Visual Studio (we obtained it exactly this way) but I suppose it would be handy to have a separate download link for this utility.

@adegeo I think you should add all this info for .NET Core 2.1 necessary dependency page

@adegeo
Copy link
Contributor

adegeo commented Jan 11, 2021

Thanks for the suggestion. I think I'll skip that for now though. Considering .NET Core 2.1 is going to be end of in 8 months and really anyone looking into automating things like installing certificates should be able to easily find that information on the net. Just a quick search turned up https://www.itninja.com/question/how-do-i-automate-the-import-of-a-certificate-cer-file for me.

If you strongly disagree, please open a new issue to discuss it and we can ask some other team members if how they feel about it :) Cheers!

@bairog
Copy link

bairog commented Jan 12, 2021

@adegeo MicrosoftRootCertificateAuthority2011.cer certificate is required not only for .Net Core 2.1 offline installer (EOL in 8 months), but also for .NET Framework 4.8 offline installer (will ship with Windows and is promised to be serviced and supported).
So I've opened a new issue - #22308

@ViperCode7
Copy link

@bairog, you cannot install Security Monthly Quality Rollup updates like that on a clean system. Also KB4534310 got superseded by KB4598279 in jan.2021. It's less relevant but informative. All of these updates require prerequisites themselves and I doubt there's a one that fits all for all Runtime needs. Best case scenario, is that the user has updated the machine.
For KB4534310's replacement the update path is:
1st KB4490628 + KB4474419
2nd KB4592510
3rd KB3042058, this one probably pertains to your certificate chain not trusted issue posted above
4th KB3125574 + KB3172605 + KB3179573
5th finally Security Monthly Quality Rollup KB4534310, or latest one per 2020, KB4592471
or
5th only for ESU licensees needed by 2021 updates and going forward, KB4575903 + KB3138612
6th and finally the KB4598279 the replacement for KB4534310

Overall, while vc runtime + KB3063858, which BTW, is not available in the update catalog (due to prob. the sha1 issue)., might have fixed your test, I doubt it's an overall fix for the whole requirements and dependencies of .NET 5.0 Runtime.
Users running clean or air gapped machines should still follow the update path, an unofficial SP2 if you will, even if it's large.

@lindexi
Copy link
Member

lindexi commented May 28, 2024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
install-deployment/subsvc Pri1 High priority, do before Pri2 and Pri3 product-feedback Indicates issues that are related to product issues, not docs [org][type][category]
Projects
None yet
Development

Successfully merging a pull request may close this issue.