KB5016316 Security Update for Visual Studio 2015

KB5016316 is the security update for Visual Studio 2015 Update 3. It was released as part of the ‘Patch Tuesday’ project of Microsoft on 9th August 2022. Microsoft released a security bulletin that contains four vulnerabilities that affect Visual Studio 2015. We look at the key aspects of KB5016316 and also the vulnerabilities that affect Visual Studio 2015 Update 3.

Salient points about KB5016316 for Visual Studio 2015 Update 3

• KB5016316 is a standalone security update for Visual Studio 2015 Update 3. For full security coverage, all the previous security updates ought to be installed on Visual Studio 2015 Update 3 machine.

• KB5016316 resolves four vulnerabilities that have CVSS ratings of 8.8. All these security threats affect Visual Studio 2015 Update 3.

• Visual Studio 2015 Update 3 is affected with four ‘Remote Code Execution’ threats.

• The size of the update file for KB5016316 is 13.8 MB.

Prerequisites for installing KB5016316 for Visual Studio 2015 Update 3

There are no specific prerequisites for installing KB5016316 for Visual Studio 2015 Update 3. However, since this is a standalone security update, it is a good practice to ensure that all the previous security updates are already deployed. This will ensure full security coverage for Visual Studio 2015 Update 3.

Vulnerabilities patched in KB5016316 for Visual Studio 2015

Visual Studio 2015 Update 3 is affected by four security vulnerabilities of the type of ‘Remote Code Execution’. An attacker could involve user interaction to deploy malicious payloads on the compromised machine. We look at the four vulnerabilities below.

• CVE-2022-35777 – Visual Studio Remote Code Execution – This vulnerability has a CVSS score of 8.8, and carries ‘IMPORTANT’ severity level.

• CVE-2022-35825 – Visual Studio Remote Code Execution – The vulnerability has a CVSS score of 8.8 and carries ‘IMPORTANT’ severity level.

• CVE-2022-35826 – Visual Studio Remote Code Execution – The vulnerability has a CVSS score of 8.8 and carries ‘IMPORTANT’ severity level.

• CVE-2022-35827 – Visual Studio Remote Code Execution – The vulnerability has a CVSS score of 8.8 and carries ‘IMPORTANT’ severity level.

These vulnerabilities require user interaction for being exploited. Exploitation of the vulnerability requires that a user open a specially crafted file.

• In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.

• In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.

An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.

It is therefore recommended that KB5016316 for Visual Studio 2015 Update 3 must be deployed on a priority basis. It is also recommended to educate the users about email phishing threats and how best to avoid clicking on external links.

How can I deploy KB5016316 on Visual Studio 2015 Update 3 machine?

KB5016316 has been made available by Microsoft as a Hotfix file. Or, you could use the MSU update file to install KB5016316. We look at both approaches below.

• Microsoft has published a Hotfix to patch Visual Studio 2015 Update 3 with KB5016316. This Hotfix is an executable file. It can be downloaded directly from the KB5016316 hotfix link.

• If you prefer to download the MSU update file from the Microsoft Update Catalog site, you can use that as a way to manually patch KB5016316. The MSU update file for KB5016316 has a size of 13.8 MB. It can be downloaded from the KB5016316 page of Microsoft Update Catalog site.

Before deploying KB5016316, Microsoft recommends closing Visual Studio 2015 Update 3. If you deploy the security update while Visual Studio 2015 Update 3 is running, your computer will require a reboot for the security update to complete installation. Therefore, please do ensure that you have closed Visual Studio 2015 before deploying KB5016316.

How to verify if KB5016316 is properly deployed on Visual Studio 2015 Update 3 machine?

Post deployment of KB5016316, it is important to validate that the security update has been implemented without any issues. You can validate the successful implementation of KB5016316 on Visual Studio 2015 Update 3 machine in the following way:

1. Open the Visual Studio 2015 program folder.
2. Locate the libfbxsdk.dll file in the Microsoft Visual Studio 14.0\Common7\IDE\Extensions\Microsoft\VsGraphics folder.
3. Verify that the file version is equal to or greater than 2020.3.1.0.

If you elected to install the optional component (Windows 8.1 and Windows Phone 8.0/8.1 Tools), follow these additional steps:

1. Locate the libfbxsdk.dll file in the Microsoft Visual Studio 12.0\Common7\IDE\Extensions\Microsoft\VsGraphics folder.
2. Verify that the file version is equal to or greater than 2020.3.1.0.
3. Locate the libfbxsdk.dll file in the Microsoft Visual Studio 11.0\Common7\IDE\Extensions\Microsoft\VsGraphics folder.
4. Verify that the file version is equal to or greater than 2020.3.1.0.

Summary

KB5016316 resolves four RCE vulnerabilities and must be installed on a proactive basis on Visual Studio 2015 Update 3 installations. The update file is 13.8 MB in size and should be installed after closing the Visual Studio 2015 session on the machine.

You may like to read more about security updates for Visual Studio below:

• KB5016315 Security Update for Visual Studio 2013
• KB5016314 Security Update for Visual Studio 2012