dotnet/docs

Security update KB2533623 no longer available

florenzen opened this issue · 41 comments

The security update KB2533623 is no longer available for download from Microsoft. Does that mean a .NET Core Installation on Windows 7 is not possible anymore?

I know, Windows 7 is out of support but there is also Windows Embedded Standard which is based in that version and which still has support in industrial applications.


Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

I'll ask around 😢

@florenzen The download is restored. Thank you for reporting it!

Download is gone again.. Or I was mistaken when I thought it was restored. Reopening.

Seems to be there again.... hrm

I am not able to download the msu file. When I click on the link for the Windows6.1-KB2533623-x86.msu (pointing to http://www.microsoft.com/download/details.aspx?familyid=c79c41b0-fbfb-4d61-b5d8-cadbe184b9fc) file on https://support.microsoft.com/en-us/help/2533623/microsoft-security-advisory-insecure-library-loading-could-allow-remot I the page I get "We're sorry, this download is no longer available."

However, I accidentally found the following reddit thread: https://www.reddit.com/r/windows/comments/ik7sp7/does_anybody_have_the_kb2533623_update_for/

The thread claims that KB2533623 is superseded by KB3063858 or KB4457144. As a test, I installed KB4457144 from https://www.catalog.update.microsoft.com/Search.aspx?q=KB4457144 and .NET 5 Preview 8 worked for me on Windows 7. (I did not check KB3063858.)

I had the link for the update from https://docs.microsoft.com/en-us/dotnet/core/install/windows?tabs=netcore31 since I did not find an equivalent page for .NET 5 Preview 8. Perhaps, the documentation could be updated to point to KB4457144.

Ahhh the link inside of the link! Thank you for the clarification.

To note for .NET 5, I doubt it will be officially supported on Win 7, and wouldn't be documented as such here. Core 3.1 was released while Win 7 was in extended support, but that ended in January. Considering .NET 5 is yet to be released, I don't think they would guarantee that it works on Win 7.
EDIT: The release notes for supported OS on .NET 5 indicates it's supported.

https://github.com/dotnet/core/tree/master/release-notes/5.0

Thanks for the clarification wrt. the Windows 7 support period. There are still Windows Embedded Standard 7 Systems running in e. g. industrial systems that still receive (paid) support, which is the kind of system we are working with. Is there any chance to get a statement from the .NET development wrt. to that kind of Installation? Anyone I could ask?

You could try filing an issue at the source repo for .NET: https://github.com/dotnet/core/issues they would hopefully be able to get you some sort of information. If that doesn't work after some time, hit me up again and I'll see if I can find someone.

Hi @adegeo

I was wondering you might be able to get any further information, there's not been any conclusion to the issue @florenzen raised for this on the .Net Core repo?

Thanks

ODN

Thanks for the ping. I'll send out another email internally.

Has anyone tested installing KB4457144 as a replacement for KB2533623 on Win7?

I have tested KB3063858, which is a tiny update (as opposed to KB4457144 - a full monthly rollup), and it does make .NET Core 3.1 work correctly. Once KB3063858 and updated KB2533623 Chocolatey packages pass moderation, .NET Core will again be installable (runtime, sdk, windowshosting) with Chocolatey on Windows 7/2008 R2.

Same here! KB2533623 liks are broken, but still mentioned as a .NET Core 3.1/.NET 5 necessary dependency.
I will test KB3063858 (links are ok) tomorrow - but it is NOT mentioned as .NET Core 3.1/.NET 5 dependency
P. S. @adegeo - you've closed my issue #21706 as duplicate. What steps are going to be performed to fix existing problem - fixing KB2533623 broken links or correcting description at .NET Core 3.1/.NET 5 dependencies page? What is estimated timeframe?
Thank you.

The Wayback Machine still has a copy.

  1. Go to the Microsoft security advisory webpage which lists the various MSU packages: https://support.microsoft.com/en-us/help/2533623/microsoft-security-advisory-insecure-library-loading-could-allow-remot
  2. Find the update you need. (For example, "Update for Windows 7 for x64-based Systems (KB2533623).")
  3. Copy the URL leading to the download page. (In this example, Win 7 x64, it is http://www.microsoft.com/download/details.aspx?familyid=146ed6f7-b605-4270-8ec4-b9f0f284bb9e.)
  4. Go to the Internet Archive Wayback Machine, at "www.archive.org/web". In the entry field showing a grayed-out "http://", paste in the URL which you copied in the previous step.
  5. The Wayback Machine (for this example) came up with a single hit, from April 12, 2020. Hover over that date on the calendar, then click on the link to the snapshot. For this example, the link text showed as "13:04:07."
  6. It will take a while for the Wayback Machine to find and retrieve the page image. When it comes up, copy information you wish from the webpage, then click on the "Download" box. Save the MSU file.
  7. You're done! You can now install the MSU. Hurray for the Internet Archive!

@jazzcat42 I've already mentioned this workaround in my issue #21706 (closed ad duplicate).
To cut a long story short - final Web Archive link. But that is not normal situation - we a forced to use a hack instead of official way.
@adegeo - any comments about the situation? What steps are going to be performed to fix existing problem - fixing KB2533623 broken links or correcting description at .NET Core 3.1/.NET 5 dependencies page? What is estimated timeframe?

if you still want download KB2533623 , you can download here :
https://github.com/coderbusy/runtime

@Soar360 Thank you for sharing a link.
But I what to have official way to download a .NET Core 3.1/.NET 5 nesessary dependency.

The team is researching this. Does anyone have the errors they receive when they run or install .NET 5/Core without these patches?

if you still want download KB2533623 , you can download here :
https://pan.baidu.com/s/1Z8ifuzK10AG6l-GXJTC0Sg
access password is : pyma

I think it asks me for an email account and password ... I guess it's because I have to register ... but I don't understand what it says or how to register! :-)

I am not able to download the msu file. When I click on the link for the Windows6.1-KB2533623-x86.msu (pointing to http://www.microsoft.com/download/details.aspx?familyid=c79c41b0-fbfb-4d61-b5d8-cadbe184b9fc) file on https://support.microsoft.com/en-us/help/2533623/microsoft-security-advisory-insecure-library-loading-could-allow-remot I the page I get "We're sorry, this download is no longer available."

However, I accidentally found the following reddit thread: https://www.reddit.com/r/windows/comments/ik7sp7/does_anybody_have_the_kb2533623_update_for/

The thread claims that KB2533623 is superseded by KB3063858 or KB4457144. As a test, I installed KB4457144 from https://www.catalog.update.microsoft.com/Search.aspx?q=KB4457144 and .NET 5 Preview 8 worked for me on Windows 7. (I did not check KB3063858.)

I had the link for the update from https://docs.microsoft.com/en-us/dotnet/core/install/windows?tabs=netcore31 since I did not find an equivalent page for .NET 5 Preview 8. Perhaps, the documentation could be updated to point to KB4457144.

I get the message: "this update is not applicable to this computer" :-(

if you still want download KB2533623 , you can download here :
https://pan.baidu.com/s/1Z8ifuzK10AG6l-GXJTC0Sg
access password is : pyma

I think it asks me for an email account and password ... I guess it's because I have to register ... but I don't understand what it says or how to register! :-)

Try this GitHub download links :
https://github.com/coderbusy/runtime

The team is researching this. Does anyone have the errors they receive when they run or install .NET 5/Core without these patches?

We have two testing environments with clean Windows 7 SP1 x86 (without any updates installed) and clean Windows 10 1607 x64.
On Windows 7 SP1 x86 .NET Desktop Runtime 5.0.0 (windowsdesktop-runtime-5.0.0-win-x86.exe) installs without any problems, but when we run our .NET 5.0 test applications (console/WinForms x86) - we get an error:

The library hostfxr.dll was found, but loading it from C:\Program Files\dotnet\host\fxr\5.0.0\hostfxr.dll failed
Installing .NET Core prerequisites might help resolve this problem. https://go.microsoft.com/fwlink/?linkid=798306

Screenshot

image

Installing KB2533623 (from Web Archive) solves the problem, didn't test KB3063858 yet, mybe later..

P. S. Some of our customers have PCs isolated from Internet/WSUS - so we are to include KB patches in our software installer.

@adegeo
Today we again performed a test on our clean Windows 7 SP1 x86 (without any updates installed):
image
image
Latest .NET Desktop Runtime 5.0.1 (windowsdesktop-runtime-5.0.1-win-x86.exe) installs without any problems.
But when we run our .NET 5.0 test applications (console/WinForms x86) - we get an error:

The program can't start because api-ms-win-crt-runtime-l1-1-0.dll is missing from your computer. Try reinstalling the program to fix this problem.

image

The main difference is that neither KB2533623 (from Web Archive) nor KB3063858 solves the problem this time.
The only working solution was installing KB2999226 (very strange because it is a prerequisite for .NET Framework 4.8 offline installer) and after that installing KB2533623 or KB3063858 (no matter which one).
Investigate this problem ASAP please.

P. S. Some of our customers have PCs isolated from Internet/WSUS - so we are to include KB patches in our software installer.

@bairog Thank you very much for this information, I'll pass it on to the team!

I can confirm that the security update is still not available.

@bairog Thank you very much for this information, I'll pass it on to the team!

@adegeo Don't pass it anywhere, just re-upload the file or fix the link.

In case you lost it, you can download it from web.archive.org. Maybe consider to make a big donation to the Internet Archive since they manage to to keep your security patches available and by that de facto handle Microsoft's customer service too. So I think they deserve some appreciation.

missing-security-update-KB2533623 small

Side note: your dots below the blue helicopter don't scale consistently in different resolutions as seen in the screen shot. Upon interpretation the helicopter appears to pick up the wrong dot or straight lost it. Kinda ironic.

I got some clarifications on what has happened. The old patches were removed because they are all signed with SHA-1 certificates, which are no longer secure due to shatter attacks. Microsoft as a whole has moved on to at least SHA-256 security and thus there was a company-wide effort to remove SHA-1 stuff.

However, there are newer patches which have been reported as including the fixes required to install .NET on Windows 7: https://www.catalog.update.microsoft.com/Search.aspx?q=kb4534310

@bairog would you be able to confirm this fixes your problem (if you have an easy test environment) I'm going to work on creating a test environment but it would be good to hear from you.

Cheers!

@adegeo

@bairog would you be able to confirm this fixes your problem (if you have an easy test environment) I'm going to work on creating a test environment but it would be good to hear from you.

I've performed a test on our clean Windows 7 SP1 x86 (without any updates installed). Installing KB4534310 update results in error:
Virtual-Box-Windows-7-SP1-x86-06-01-2021-14-03-32
UPDATE I had same error message before (when installing .NET Framework 4.8 on clean Windows7 SP1 x86).
Than time I've solved the problem by installing MicrosoftRootCertificateAuthority2011.cer (more info at StackOveflow).
But even installing that certificate is not enough for KB4534310 update. So the problem is still here.

P.S. Even if you find a way to install KB4534310 update and this update makes our our .NET 5.0 test applications (console/WinForms x86) work correctly - that is hardly suitable for us. KB4534310 update is a full monthly rollup (size for Windows 7 SP1 x86 is 204Mb). Including an update that is more than 2 times bigger than our software installer itself (it is less than 100Mb) - is a nonsence.
But we are to include KB patches in our software installer because some of our customers have PCs isolated from Internet/WSUS.
Hope you will a smaller separate update (1-5Mb) that will make .NET 5 work on clean Windows 7 SP1 x86.
Good luck.

@bairog Thank you for testing and giving me some results. I was able to spin up a test machine today too, a clean Win 7 x64 SP1 from the Visual Studio downloads. I also had that same error on some files but I fixed it by unblocking it in the file properties, was that not the source of the problem?

Your requirement of having a small footprint for distribution is noted. I'm passing that info and this post on to the team. I was able to boil down and confirm that these steps worked for me. I don't know though if windows update installed something behind me that may have contributed to its success:

  1. Microsoft Visual C++ 2015 Redistributable Update 3
  2. KB3063858 32-bit / 64-bit

I'm going to do another test networkless and make sure it works.
I validated on a connectionless VM that installing those two downloads worked, even with a .NET 5 WinForms project. I only tested with .NET 5. I think they said they improved things for .NET 5 so I'll have to test with 3.1 to see if that works too.

@adegeo
I can confirm that installing the following:

  1. Microsoft Visual C++ 2015 Redistributable Update 3
  2. KB3063858 32-bit / 64-bit

makes our .NET 5.0 test applications (console/WinForms x86) work correctly.

I can also confirm that Microsoft Visual C++ 2015-2019 Redistributable 32-bit / 64-bit can be used instead of Microsoft Visual C++ 2015 Redistributable Update 3.
It is already included in our software installer (part of our modules are C++) - so we need only include KB3063858 update (905Kb).
Great job!

P.S. Don't forget to change KB2533623 to KB3063858 and make some comments about Microsoft Visual C++ 2015-2019 Redistributable on .NET Core 3.1/.NET 5 necessary dependency page ASAP. Thank you.

Thanks for the additional information. I cannot get the installers for 2.1 working though so I'm investigating that. Regardless, I'll get this page updated with this information by tomorrow. Thanks again!

I cannot get the installers for 2.1 working though so I'm investigating that.

What exactly do you mean? .NET Core 2.1 or what?

Correct. I just fixed that though. The .NET Core 2.1 installer requires the certificate you linked to. Core 3.1 and .NET 5 don't require the certificate.

The .NET Core 2.1 installer requires the certificate you linked to.

NB To fully automate MicrosoftRootCertificateAuthority2011.cer certificate installation process (e. g. inside software installers) Certificate Manager (certmgr.exe) can be used to add the certificate via admin command prompt (more info at StackOverflow):

certmgr.exe /add MicrosoftRootCertificateAuthority2011.cer /s /r localMachine root

P. S. The Certificate Manager utility is automatically installed with Visual Studio (we obtained it exactly this way) but I suppose it would be handy to have a separate download link for this utility.

@adegeo I think you should add all this info for .NET Core 2.1 necessary dependency page

Thanks for the suggestion. I think I'll skip that for now though. Considering .NET Core 2.1 is going to be end of in 8 months and really anyone looking into automating things like installing certificates should be able to easily find that information on the net. Just a quick search turned up https://www.itninja.com/question/how-do-i-automate-the-import-of-a-certificate-cer-file for me.

If you strongly disagree, please open a new issue to discuss it and we can ask some other team members if how they feel about it :) Cheers!

@adegeo MicrosoftRootCertificateAuthority2011.cer certificate is required not only for .Net Core 2.1 offline installer (EOL in 8 months), but also for .NET Framework 4.8 offline installer (will ship with Windows and is promised to be serviced and supported).
So I've opened a new issue - #22308

@bairog, you cannot install Security Monthly Quality Rollup updates like that on a clean system. Also KB4534310 got superseded by KB4598279 in jan.2021. It's less relevant but informative. All of these updates require prerequisites themselves and I doubt there's a one that fits all for all Runtime needs. Best case scenario, is that the user has updated the machine.
For KB4534310's replacement the update path is:
1st KB4490628 + KB4474419
2nd KB4592510
3rd KB3042058, this one probably pertains to your certificate chain not trusted issue posted above
4th KB3125574 + KB3172605 + KB3179573
5th finally Security Monthly Quality Rollup KB4534310, or latest one per 2020, KB4592471
or
5th only for ESU licensees needed by 2021 updates and going forward, KB4575903 + KB3138612
6th and finally the KB4598279 the replacement for KB4534310

Overall, while vc runtime + KB3063858, which BTW, is not available in the update catalog (due to prob. the sha1 issue)., might have fixed your test, I doubt it's an overall fix for the whole requirements and dependencies of .NET 5.0 Runtime.
Users running clean or air gapped machines should still follow the update path, an unofficial SP2 if you will, even if it's large.