Visual Studio 2017 version 15.9 Release Notes

---

---

Developer Community | System Requirements | Compatibility | Distributable Code | License Terms | Blogs | Known Issues

---

---

---

---

Visual Studio 2017 version 15.9 is the final supported servicing baseline for Visual Studio 2017 and has entered the extended support period. Enterprise and Professional customers needing to adopt a long term stable and secure development environment are encouraged to standardize on this version. As explained in more detail in our lifecycle and support policy, version 15.9 will be supported with security updates through April 2027, which is the remainder of the Visual Studio 2017 product lifecycle.

Because Visual Studio 2017 is now in extended support, all administrator updates now cover all minor version ranges of the product. This means that all security updates delivered through the Microsoft Update Catalog or Microsoft Endpoint Manager will update the client to the latest secure version of the Visual Studio 2017 product.

.NET Core 2.1 is out of support as of August 21, 2021

---

• March 11, 2025 -- Visual Studio 2017 version 15.9.71
• February 11, 2025 -- Visual Studio 2017 version 15.9.70
• January 14, 2025 -- Visual Studio 2017 version 15.9.69
• November 12, 2024 -- Visual Studio 2017 version 15.9.68
• October 8, 2024 -- Visual Studio 2017 version 15.9.67
• September 10, 2024 -- Visual Studio 2017 version 15.9.66
• August 13, 2024 -- Visual Studio 2017 version 15.9.65
• July 9, 2024 -- Visual Studio 2017 version 15.9.64
• June 11, 2024 -- Visual Studio 2017 version 15.9.63
• May 14, 2024 -- Visual Studio 2017 version 15.9.62
• April 9, 2024 -- Visual Studio 2017 version 15.9.61
• February 13, 2024 (web) and March 12, 2024 (Microsoft Update) -- Visual Studio 2017 version 15.9.60
• January 9, 2024 -- Visual Studio 2017 version 15.9.59
• October 10, 2023 -- Visual Studio 2017 version 15.9.58
• September 12, 2023 -- Visual Studio 2017 version 15.9.57
• August 8, 2023 -- Visual Studio 2017 version 15.9.56
• Apr 11, 2023 -- Visual Studio 2017 version 15.9.54
• Mar 14, 2023 -- Visual Studio 2017 version 15.9.53
• Feb 14, 2023 -- Visual Studio 2017 version 15.9.52
• November 8, 2022 -- Visual Studio 2017 version 15.9.51
• August 9, 2022 -- Visual Studio 2017 version 15.9.50
• June 14, 2022 -- Visual Studio 2017 version 15.9.49
• May 10, 2022 -- Visual Studio 2017 version 15.9.48
• April 19, 2022 -- Visual Studio 2017 version 15.9.47
• April 12, 2022 -- Visual Studio 2017 version 15.9.46
• March 8, 2022 -- Visual Studio 2017 version 15.9.45
• February 8, 2022 -- Visual Studio 2017 version 15.9.44
• January 11, 2022 -- Visual Studio 2017 version 15.9.43
• December 14, 2021 -- Visual Studio 2017 version 15.9.42
• November 09, 2021 -- Visual Studio 2017 version 15.9.41
• October 12, 2021 -- Visual Studio 2017 version 15.9.40
• September 14, 2021 -- Visual Studio 2017 version 15.9.39
• August 10, 2021 -- Visual Studio 2017 version 15.9.38
• July 13, 2021 -- Visual Studio 2017 version 15.9.37
• May 11, 2021 -- Visual Studio 2017 version 15.9.36
• April 13, 2021 -- Visual Studio 2017 version 15.9.35
• March 09, 2021 -- Visual Studio 2017 version 15.9.34
• February 10, 2021 -- Visual Studio 2017 version 15.9.33
• February 09, 2021 -- Visual Studio 2017 version 15.9.32
• January 12, 2021 -- Visual Studio 2017 version 15.9.31
• December 08, 2020 -- Visual Studio 2017 version 15.9.30
• November 10, 2020 -- Visual Studio 2017 version 15.9.29
• October 13, 2020 -- Visual Studio 2017 version 15.9.28
• September 8, 2020 -- Visual Studio 2017 version 15.9.27
• August 11, 2020 -- Visual Studio 2017 version 15.9.26
• July 14, 2020 -- Visual Studio 2017 version 15.9.25
• June 09, 2020 -- Visual Studio 2017 version 15.9.24
• May 12, 2020 -- Visual Studio 2017 version 15.9.23
• April 14, 2020 -- Visual Studio 2017 version 15.9.22
• March 10, 2020 -- Visual Studio 2017 version 15.9.21
• February 11, 2020 -- Visual Studio 2017 version 15.9.20
• January 14, 2020 -- Visual Studio 2017 version 15.9.19
• December 10, 2019 -- Visual Studio 2017 version 15.9.18
• October 15, 2019 -- Visual Studio 2017 version 15.9.17
• September 10, 2019 -- Visual Studio 2017 version 15.9.16
• August 13, 2019 -- Visual Studio 2017 version 15.9.15
• July 9, 2019 -- Visual Studio 2017 version 15.9.14
• June 11, 2019 -- Visual Studio 2017 version 15.9.13
• May 14, 2019 -- Visual Studio 2017 version 15.9.12
• April 02, 2019 -- Visual Studio 2017 version 15.9.11
• March 25, 2019 -- Visual Studio 2017 version 15.9.10
• March 12, 2019 -- Visual Studio 2017 version 15.9.9
• March 05, 2019 -- Visual Studio 2017 version 15.9.8
• February 12, 2019 -- Visual Studio 2017 version 15.9.7
• January 24, 2019 -- Visual Studio 2017 version 15.9.6
• January 08, 2019 -- Visual Studio 2017 version 15.9.5
• December 11, 2018 -- Visual Studio 2017 version 15.9.4
• November 28, 2018 -- Visual Studio 2017 version 15.9.3
• November 19, 2018 -- Visual Studio 2017 version 15.9.2
• November 15, 2018 -- Visual Studio 2017 version 15.9.1
• November 13, 2018 -- Visual Studio 2017 version 15.9 Minor Release

---

---

released March 11th, 2025

• CVE-2025-24998 Visual Studio Installer Elevation of Privilege Vulnerability

---

released February 11th, 2025

• CVE-2025-21206 Visual Studio Installer Elevation of Privilege - Uncontrolled Search Path Element allows an unauthorized attacker to elevate privileges locally.

---

released January 14th, 2025

• CVE-2025-21172 .NET and Visual Studio Remote Code Execution Vulnerability
• CVE-2025-21176 .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability
• CVE-2025-21178 Visual Studio Remote Code Execution Vulnerability
• CVE-2024-50338 Carriage-return character in remote URL allows malicious repository to leak credentials

---

released November 12th, 2024

• This update includes fixes pertaining to Visual Studio compliance.

---

released October 8th, 2024

• Updated authentication method used when interacting with the Microsoft Store.

• CVE-2024-43603 Denial of Service Vulnerability in Visual Studio Collector Service
• CVE-2024-43590 Elevation of Privilege Vulnerability in Visual Studio C++ Redistributable Installer

---

released September 10th, 2024

CVE-2024-35272 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability

---

released August 13th, 2024

• Starting with this release the Visual Studio Installer will no longer offer to install the optional Xamarin Workbooks component.
• Starting with this release the Visual Studio Installer will no longer offer to install the Visual Studio Emulator for Android component.

• CVE-2024-29187(Republished) - WiX based installers are vulnerable to binary hijack when run as SYSTEM

---

released July 9th, 2024

• Version 6.2 of AzCopy is no longer distributed as part of the Azure Workload in Visual Studio due to deprecation. The latest supported release of AzCopy can be downloaded from Get started with AzCopy.
• Starting with this release the Visual Studio Installer will no longer offer to install the Windows 10 Mobile Emulators. If you would still like to use these you can install them from the Windows SDK and emulator archive page.
• Update MinGit to v2.45.2.1 that includes GCM 2.5 which addresses an issue with the previous GCM version where it reported an error back to Git after cloning and made it appear like the clone had failed.

---

released June 11th, 2024

• CVE-2024-30052 Remote Code Execution when debugging dump files that contain a malicious file with an appropriate extension
• CVE-2024-29060 Elevation of Privilege where affected installation of Visual Studio is running
• CVE-2024-29187 WiX based installers are vulnerable to binary hijack when run as SYSTEM

---

released May 14th, 2024

• This release includes an OpenSSL update to v3.2.1

• CVE-2024-32002 Recursive clones on case-insensitive filesystems that support symlinks are susceptible to Remote Code Execution.
• CVE-2024-32004 Remote Code Execution while cloning special-crafted local repositories

---

released April 9th, 2024

• With this bug fix, a client can now use the bootstrapper in a layout and pass in the --noWeb parameter to install on a client machine and ensure that both the installer and the Visual Studio product are downloaded only from the layout. Previously, sometimes during the installation process, the installer would not respect the -noWeb parameter and would try to self-update itself from the web.

---

released to the web on February 13, 2024 and released to Microsoft Update on March 12, 2024

• The "Remove Out of Support Components" in the Visual Studio Installer UI will now remove the out of support versions of the .NET runtime included in 15.9 (.NET Core 1.1 and 2.1 were impacted).

---

released January 9th, 2024

• Updated MinGit to v2.43.0.1 which comes with OpenSSL v3.1.4 and addresses a regression where network operations were really slow under certain circumstances.

• CVE-2024-20656 A vulnerability exists in the VSStandardCollectorService150 service, where local attackers can escalate privileges on hosts where an affected installation of Microsoft Visual Studio is running.

---

released on October 10, 2023

• To improve reliability of the Visual Studio Setup WMI provider, we have moved it to a dedicated namespace, root/cimv2/vs. This prevents any conflicts with other WMI providers that shared the same, foundational namespace, and prevents cases where the Visual Studio Setup WMI provider fails to detect Visual Studio.

---

released on September 12, 2023

• CVE-2023-36796This security update addresses a vulnerability in DiaSymReader.dll when reading a corrupted PDB file which can lead to Remote Code Execution.
• CVE-2023-36794This security update addresses a vulnerability in DiaSymReader.dll when reading a corrupted PDB file which can lead to Remote Code Execution.
• CVE-2023-36793This security update addresses a vulnerability in DiaSymReader.dll when reading a corrupted PDB file which can lead to Remote Code Execution.
• CVE-2023-36792This security update addresses a vulnerability in DiaSymReader.dll when reading a corrupted PDB file which can lead to Remote Code Execution.

---

released on August 8, 2023

• Addressed an issue where VSWhere's all switch would not return instances in an un-launchable state.

• CVE-2023-36897 Visual Studio 2010 Tools for Office Runtime Spoofing Vulnerability This security update addresses a vulnerability where unauthenticated remote attacker can sign VSTO Add-ins deployments without a valid code signing certificate.

---

released on June 13, 2023

• As part of this update, to address CVE-2023-27909, CVE-2023-27910, and CVE-2023-27911, we are removing .fbx and .dae support. This is a third-party x86 component that is no longer supported by the author. Affected users should use the fbx editor.

• CVE-2023-24897 Visual Studio Remote Code Execution Vulnerability This security update addresses a vulnerability in the MSDIA SDK where corrupted PDBs can cause heap overflow, leading to a crash or remote code execution.
• CVE-2023-25652 Visual Studio Remote Code Execution Vulnerability This security update addresses a vulnerability where specially crafted input to git apply –reject can lead to controlled content writes at arbitrary locations.
• CVE-2023-25815 Visual Studio Spoofing Vulnerability This security update addresses a vulnerability where Github localization messages refer to a hard-coded path instead of respecting the runtime prefix that leads to out-of-bound memory writes and crashes.
• CVE-2023-29007 Visual Studio Remote Code Execution Vulnerability This security update addresses a vulnerability in which a configuration file containing a logic error results in arbitrary configuration injection.
• CVE-2023-29011 Visual Studio Remote Code Execution Vulnerability This security update addresses a vulnerability in which the Git for Windows executable responsible for implementing a SOCKS5 proxy is susceptible to picking up an untrusted configuration on multi-user machines.
• CVE-2023-29012 Visual Studio Remote Code Execution Vulnerability This security update addresses a vulnerability in which the Git for Windows Git CMD program incorrectly searches for a program upon startup, leading to silent arbitrary code execution.
• CVE-2023-27909 Visual Studio Remote Code Execution Vulnerability This security update addresses an Out-Of-Bounds Write Vulnerability in Autodesk® FBX® SDK where version 2020 or prior may lead to code execution through maliciously crafted FBX files or information disclosure.
• CVE-2023-27910 Visual Studio Information Disclosure Vulnerability This security update addresses a vulnerability where a user may be tricked into opening a malicious FBX file that may exploit a stack buffer overflow vulnerability in Autodesk® FBX® SDK 2020 or prior which may lead to remote code execution.
• CVE-2023-27911 Visual Studio Remote Code Execution Vulnerability This security update addresses a vulnerability where a user may be tricked into opening a malicious FBX file that may exploit a heap buffer overflow vulnerability in Autodesk® FBX® SDK 2020 or prior which may lead to remote code execution.
• CVE-2023-33139 Visual Studio Information Disclosure Vulnerability This security update addresses a OOB vulnerability where the obj file parser in Visual Studios leads to information disclosure.

released on Apr 11, 2023

• Fixed an issue in IIS Express that could cause a crash when updating telemetry data.

• iisexpress crashes in ntdll.dll

• CVE-2023-28296 Visual Studio Remote Code Execution Vulnerability
• CVE-2023-28299 Visual Studio Spoofing Vulnerability

---

released on Mar 14, 2023

• Git 2.39 has renamed the value for credential.helper from "manager-core" to "manager". See https://aka.ms/gcm/rename for more information.
• Updates to mingit and Git for Windows package to v2.39.2, which addresses CVE-2023-22490

• CVE-2023-22490 Mingit Remote Code Execution Vulnerability
• CVE-2023-22743 Git for Windows Installer Elevation of Privilege Vulnerability
• CVE-2023-23618 Git for Windows Remote Code Execution Vulnerability
• CVE-2023-23946 Mingit Remote Code Execution Vulnerability

---

released on Feb 14, 2023

• Updates to mingit and Git for Windows package to v2.39.1.1, which addresses CVE-2022-41903

• CVE-2023-21566 Visual Studio Installer Elevation of Privilege Vulnerability
• CVE-2023-21567 Visual Studio Denial of Service Vulnerability
• CVE-2023-21808 .NET and Visual Studio Remote Code Execution Vulnerability
• CVE-2023-21815 Visual Studio Remote Code Execution Vulnerability
• CVE-2023-23381 Visual Studio Code Remote Code Execution Vulnerability
• CVE-2022-23521 gitattributes parsing integer overflow
• CVE-2022-41903 Heap overflow in git archive, git log --format leading to RCE
• CVE-2022-41953 Git GUI Clone Remote Code Execution Vulnerability

---

released on November 8, 2022

• Administrators will be able to update the VS Installer on an offline client machine from a layout without updating VS.

• CVE-2022-41119 Remote Code Execution Heap Overflow Vulnerbaility in Visual Studio
• CVE-2022-39253 Information Disclosure Local clone optimization dereferences symbolic links by default

---

released on August 9, 2022

• Updates Git for Windows to v2.37.1.1 addressing CVE-2022-31012.

• CVE-2022-31012 Remote Code Execution Git for Windows' installer can be tricked into executing an untrusted binary
• CVE-2022-29187 Elevation of Privilege Malicious users can create a .git directory in a folder that is owned by a super-user
• CVE-2022-35777 Remote Code Execution Visual Studio 2022 Preview Fbx File parser Heap overflow Vulnerability
• CVE-2022-35825 Remote Code Execution Visual Studio 2022 Preview Fbx File parser OOBW Vulnerability
• CVE-2022-35826 Remote Code Execution Visual Studio 2022 Preview Fbx File parser Heap overflow Vulnerability
• CVE-2022-35827 Remote Code Execution Visual Studio 2022 Preview Fbx File parser Heap OOBW Vulnerability

---

released on June 14, 2022

• CVE-2022-24513 Elevation of privilege vulnerability A potential elevation of privilege vulnerability exists when the Microsoft Visual Studio updater service improperly parses local configuration data.

---

released on May 10, 2022

• Updated Git for Windows version consumed by Visual Studio and installable optional component to 2.36.0.1
• Fixed an issue with git integration, where if pulling/synchronizing branches that have diverged, output window would not show a localized hint on how to resolve it.

CVE-2022-29148 Visual Studio Remote Code Execution Vulnerability A remote code execution vulnerability exists in Visual Studio when it improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.

CVE-2022-24513 Elevation of privilege vulnerability A potential elevation of privilege vulnerability exists when the Microsoft Visual Studio updater service improperly parses local configuration data.

---

released on April 19, 2022

• Fixed vctip.exe regression from 15.9.46.

---

released on April 12, 2022

CVE-2022-24765 Elevation of privilege vulnerability A potential elevation of privilege vulnerability exists in Git for Windows, in which Git operations could run outside a repository while seraching for a Git directory. Git for Windows is now updated to version 2.35.2.1.

CVE-2022-24767 DLL hijacking vulnerability A potential DLL hijacking vulnerability exists in Git for Windows installer, when running the uninstaller under the SYSTEM user account. Git for Windows is now updated to version 2.35.2.1.

CVE-2022-24513 Elevation of privilege vulnerability A potential elevation of privilege vulnerability exists when the Microsoft Visual Studio updater service improperly parses local configuration data.

---

released on March 8, 2022

CVE-2021-3711 OpenSSL Buffer Overflow vulnerability A potential buffer overflow vulnerability exists in OpenSSL, which is consumed by Git for Windows. Git for Windows is now updated to version 2.35.1.2, which addresses this issue.

---

released on February 8, 2022

CVE-2022-21871 Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability An elevation of privilege vulnerability exists if the Diagnostics Hub Standard Collector incorrectly handles data operations.

---

released on January 11, 2022

• Fixed an issue with being unable to debug applications multiple times when Windows Terminal is used as the default terminal.
• Fixed an issue that prevented a client from being able to update a more current bootstrapper. Once the client is using the bootstrapper and installer that shipped January 2022 or later, all updates using subsequent bootstrappers should work for the duration of the product lifecycle.

---

released on December 14, 2021

• Marked CPython 3.6.6 as out of support because of a security vulnerability.

---

released on November 09, 2021

CVE-2021-42319 Elevation of Privilege Vulnerability An Elevation of Privilege vulnerability exists in the WMI Provider that is included in the Visual Studio installer.

CVE-2021-42277 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector incorrectly handles file operations.

---

released on October 12, 2021

CVE-2020-1971 OpenSSL Denial of Service Vulnerability Potential denial of service on OpenSSL library, which is consumed by Git.

CVE-2021-3449 OpenSSL Denial of Service Vulnerability Potential denial of service on OpenSSL library, which is consumed by Git.

CVE-2021-3450 OpenSSL Potential bypass of the X509_V_FLAG_X509_STRICT flag A potential flag bypass in OpenSSL library, which is consumed by Git.

---

released on September 14, 2021

• When using the Tools -> Get Tools and Features menu item in Visual Studio, an error would occur stating that the Visual Studio Installer could not be found. This fix enables Visual Studio to correctly locate the installer location.

CVE-2021-26434 Visual Studio Incorrect Permission Assignment Privilege Escalation Vulnerability A permission assignment vulnerability exists in Visual Studio after installing the Game development with C++ and selecting the Unreal Engine Installer workload. The system is vulnerable to LPE during the installation it creates a directory with write access to all users.

CVE-2021-36952 Visual Studio Remote Code Execution Vulnerability A remote code execution vulnerability exists in Visual Studio when it improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.

---

released on August 10, 2021

• .NET Core 2.1 will reach End of Support on August 21, 2021

• Fixed an issue that affected command line execution of the update command. If the update fails the first time, a subsequent issuing of the update command now causes the update to resume the prior operation where it left off.

CVE-2021-26423 .NET Core Denial of Service Vulnerability

A denial of service vulnerability exists where .NET (Core) server applications providing WebSocket endpoints could be tricked into endlessly looping while trying to read a single WebSocket frame.

CVE-2021-34485 .NET Core Information Disclosure Vulnerability

An information disclosure vulnerability exists when dumps created by the tool to collect crash dumps and dumps on demand are created with global read permissions on Linux and macOS.

CVE-2021-34532 ASP.NET Core Information Disclosure Vulnerability

An information disclosure vulnerability exists in where a JWT token is logged if it cannot be parsed.

---

released on July 13, 2021

• Fixed creating an offline Visual Studio 2017 installation layout containing the Game Development with Unity workload and the Unity Editor optional component from China.

---

released on May 11, 2021

• Fixed an issue causing updates to fail when an administrator creates a new layout of Visual Studio for deploying updates. The client machine update will fail since the layout has moved locations.

---

released on April 13, 2021

CVE-2021-27064 Visual Studio Installer Elevation of Privilege Vulnerability

A remote code execution vulnerability exists when the Visual Studio installer executes the feedback client in an elevated state.

CVE-2021-28313 / CVE-2021-28321 / CVE-2021-28322 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector incorrectly handles data operations.

---

released on March 09, 2021

CVE-2021-21300 Git for Visual Studio Remote Code Execution Vulnerability

A remote code execution vulnerability exists when Visual Studio clones a malicious repository.

CVE-2021-26701 .NET Core Remote Code Execution Vulnerability

A remote code execution vulnerability exists in .NET 5 and .NET Core due to how text encoding is performed.

---

released on February 10, 2021

• Fixed an issue causing an unexpect Visual Studio crash when docking or splitting windows.

---

released on February 09, 2021

CVE-2021-1639 TypeScript Language Service Remote Code Execution Vulnerability

A remote code execution vulnerability exists when Visual Studio loads a malicious repository containing JavaScript or TypeScript code files.

CVE-2021-1721 .NET Core Denial of Service Vulnerability

A denial-of-service vulnerability exists when creating HTTPS web request during X509 certificate chain building.

CVE-2021-24112 .NET 5 and .NET Core Remote Code Execution Vulnerability

A remote code execution vulnerability exists when disposing metafiles when a graphics interface still has a reference to it. This vulnerability only exists on systems running on MacOS or Linux.

---

released on January 12, 2021

CVE-2021-1651 / CVE-2021-1680 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector incorrectly handles data operations.

CVE-2020-26870 Visual Studio Installer Remote Code Execution Vulnerability

A remote code execution vulnerability exists when the Visual Studio Installer attempts to show malicious markdown.

---

released on December 08, 2020

• Fixed a C++ compiler crash when compiling a call to a function taking generic arguments in C++/CLI.

CVE-2020-17156 Visual Studio Remote Code Execution Vulnerability

A remote code execution vulnerability exists when Visual Studio clones a malicious repository.

---

released on November 20, 2020

• 15.9.12 - linker crash during code generation
• v141 generates movaps for unaligned assignments on x64

CVE-2020-17100 Visual Studio Tampering Vulnerability

A tampering vulnerability exists when the Python Tools for Visual Studio creates the python27 folder. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

---

released on October 13, 2020

• .NET Core SDK 2.1.519 updated into Visual Studio 2019.

---

released on September 8, 2020

• Out of support versions of .NET Core will no longer be reinstalled during a repair or upgrade if they were removed outside of VS setup.

CVE-2020-1130 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector improperly handles data operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

CVE-2020-1133 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

CVE-2020-16856 Visual Studio Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Visual Studio when it improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.

CVE-2020-16874 Visual Studio Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Visual Studio when it improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.

CVE-2020-1045 Microsoft ASP.NET Core Security Feature Bypass Vulnerability

A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.

---

released on August 11, 2020

• Visual Studio 2017 15.9.23 or cl 19.16.27040 problem with inline static class member (renew)

CVE-2020-1597 ASP.NET Core Denial of Service Vulnerability

A denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.

---

released on July 14, 2020

• Compiler CodeGen regression for calling a virtual function with V15.9
• 1.0 and 2.0 .NET Core runtimes have been marked as "out of support" in the setup UI and made optional for all scenarios.

CVE-2020-1393 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists when the Windows Diagnostics Hub Standard Collector Service fails to properly sanitize input, leading to an unsecure library-loading behavior.

CVE-2020-1416 Visual Studio Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists in Visual Studio when it loads software dependencies. A local attacker who successfully exploited the vulnerability could inject arbitrary code to run in the context of the current user.

CVE-2020-1147 .NET Core Denial of Service Vulnerability

A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an ASP.NET Core application, or other application that parses certain types of XML. The security update addresses the vulnerability by restricting the types that are allowed to be present in the XML payload.

---

released on June 02, 2020

• Fixed a bug in the C++ linker missing imports when using umbrella LIBs with difference casing on postfix of DLL name.
• Fixed a bug in the ARM64 C++ compiler where the wrong values could be restored after setjmp.
• Fixed C++ compiler bug for proper folding of inline variable dynamic initializers.
• Made a change that enables Enterprise IT administrators and deployment engineers to configure tools like Microsoft Update client & SCCM to determine applicability of VS2017 updates hosted on Microsoft Update Catalog & WSUS.

CVE-2020-1202 / CVE-2020-1203Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector fails to properly handle objects in memory.

CVE-2020-1293 / CVE-2020-1278 / CVE-2020-1257 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles file operations.

CVE-2020-1108 / CVE-2020-1108 / CVE-2020-1108 .NET Core Denial of Service Vulnerability

To comprehensively address CVE-2020-1108, Microsoft has released updates for .NET Core 2.1 and .NET Core 3.1. Customers who use any of these versions of .NET Core should install the latest version of .NET Core. See the Release Notes for the latest version numbers and instructions for updating .NET Core.

---

released on May 12, 2020

• Fixed C++ compiler bug for proper folding of inline variable dynamic initializers. Ported from the VS 2019 16.0 release.
• Security improvements in vctip.exe.
• A change to enable Enterprise IT administrators and deployment engineers to configure tools like Microsoft Update client & SCCM to determine applicability of VS2017 updates hosted on Microsoft Update Catalog & WSUS.

CVE-2020-1108 .NET Core Denial of Service Vulnerability

A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Core application. The security update addresses the vulnerability by correcting how the .NET Core web application handles web requests.

---

released on April 14, 2020

• VS2017 C++ sometimes set wrong exception frame.

CVE-2020-0899 Microsoft Visual Studio Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists when Microsoft Visual Studio updater service improperly handles file permissions. An attacker who successfully exploited this vulnerability could overwrite arbitrary file content in the security context of the local system.

CVE-2020-0900 Visual Studio Extension Installer Service Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists when the Visual Studio Extension Installer Service improperly handles file operations. An attacker who successfully exploited the vulnerability could delete files in arbitrary locations with elevated permissions.

CVE-2020-5260 Git for Visual Studio Credential Leak Vulnerability due to insufficient validation on URLs

A credential leak vulnerability exists when specially crafted URLs are parsed and sent to credential helpers. This can lead to credentials being sent to the wrong host.

---

released on March 10, 2020

• Fixed a bug where the .NET Profiling tools couldn't be installed on non-enterprise versions of Visual Studio 2017 when using an offline installer.
• Fixed C++ compiler bug where a static_cast in a decltype would evaluate incorrectly. To minimize disruptions to existing codebases, in VS2017 this fix takes effect when the (newly added) /d1decltypeIdentityConversion switch is thrown.
• New Spectre mitigation options in C++ compiler: [/cpp/build/reference/qspectre-load /Qspectre-load</a> & [/cpp/build/reference/qspectre-load-cf /Qspectre-load-cf</a> for speculative load hardening.

CVE-2020-0793 / CVE-2020-0810 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector improperly handles file operations, or the Windows Diagnostics Hub Standard Collector Service fails to properly sanitize input.

CVE-2020-0884 Spoofing vulnerability when creating Outlook Web -Add-in

A spoofing vulnerability exists when creating an Outlook Web-Addin if multi-factor authentication is enabled

---

released on February 11, 2020

• SQL server test configuration error
• Fixed SQL server object explorer causing a crash when customers sort data of a table.

---

released on January 14, 2020

• Fixed an issue in C++ optimizer where the impact of writing to unknown memory inside a call wasn’t properly accounted for in the caller.

CVE-2020-0602 ASP.NET Core Denial of Service Vulnerability

A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application. The security update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests.

CVE-2020-0603 ASP.NET Core Remote Code Execution Vulnerability

A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application. The security update addresses the vulnerability by correcting how the ASP.NET Core web application handles in memory.

---

released on December 10, 2019

• May allow mitigation of a Per-Monitor awareness related crash in Visual Studio

CVE-2019-1349 Git for Visual Studio Remote Excecution Vulnerability due to too lax restrictions on submodule names

A remote code execution vulnerability exists when Git runs into collisions of submodule names for directories of sibling submodules. An attacker who successfully exploited this vulnerability could remote execute code on the target machine. The security update addresses the vulnerability by taking a new version of Git for Windows which requires the directory for the submodules’ clone to be empty.

CVE-2019-1350 Git for Visual Studio Remote Excecution Vulnerability due to incorrect quoting of command-line arguments

A remote code execution vulnerability exists when Git interprets command-line arguments with certain quoting during a recursive clone in conjunction with SSH URLs. An attacker who successfully exploited this vulnerability could remote execute code on the target machine. The security update addresses the vulnerability by taking a new version of Git for Windows which fixes the issue.

CVE-2019-1351 Git for Visual Studio Arbitrary File Overwrite Vulnerability due to usage of non-letter drive names during clone

An arbitrary file overwrite vulnerability exists in Git when non-letter drive names bypass safety checks in git clone. An attacker who successfully exploited this vulnerability could write to arbitrary files on the target machine. The security update addresses the vulnerability by taking a new version of Git for Windows which fixes the issue.

CVE-2019-1352 Git for Visual Studio Remote Excecution Vulnerability due to unawareness of NTFS Alternate Data Stream

A remote code execution vulnerability exists in Git when cloning and writing to .git/ directory via NTFS alternate data streams. An attacker who successfully exploited this vulnerability could remote execute code on the target machine. The security update addresses the vulnerability by taking a new version of Git for Windows which has been made aware of NTFS alternate data streams.

CVE-2019-1354 Git for Visual Studio Arbitrary File Overwrite Vulnerability due to not refusing to write out tracked files containing backslashes

An arbitrary file overwrite vulnerability exists in Git when tree entries with backslashes and malicious symlinks could break out of the work tree. An attacker who successfully exploited this vulnerability could write to arbitrary files on the target machine. The security update addresses the vulnerability by taking a new version of Git for Windows which does not allow this usage of backslashes.

CVE-2019-1387 Git for Visual Studio Remote Execution Vulnerability due to too lax validation of submodule names in recursive clones

A remote code execution vulnerability exists in Git when cloning recursively with submodules. An attacker who successfully exploited this vulnerability could remote execute code on the target machine. The security update addresses the vulnerability by taking a new version of Git for Windows which tightens validation of submodule names.

---

released on October 15, 2019

CVE-2019-1425 NPM Package Elevation of Privilege Vulnerability (published November 12, 2019)

An elevation of privilege vulnerability exists when Visual Studio fails to properly validate hardlinks when extracting archived files. The vulnerabilities were introduced by NPM packages used by Visual Studio as described in the following two NPM advisories: npmjs.com/advisories/803 and npmjs.com/advisories/886. The updated versions of these NPM packages were included in this version of Visual Studio.

---

released on September 10, 2019

• Assembly does not match code for function
• System.InvalidProgramException: Common Language Runtime detected an invalid program. when instrumenting x64 projects
• Cross-EH mode inlining of noexcept code produces unexpected behavior
• Corrected issue with HTML Help Workshop failing to repair.

CVE-2019-1232 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly impersonates certain file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly impersonates file operations.

CVE-2019-1301 Denial of Service Vulnerability in .NET Core

A denial of service vulnerability exists when .NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Core web application. The vulnerability can be exploited remotely, without authentication.

The update addresses the vulnerability by correcting how the .NET Core web application handles web requests.

---

released on August 13, 2019

• Updated signing of VC Redist packages to enable continued deployment on Windows XP. This fix may have an increased chance of requiring a reboot of the machine in order to install an updated VC++ Redistributable package.
• Fixed in issue where GoToDefinition does not work for JavaScript in script blocks of cshtml files.
• Calling pmr monotonic_buffer_resource release will corrupt memory.
• Fix for HRESULT E_FAIL build error in some C++ projects when upgrading to 15.9.13

CVE-2019-1211 Git for Visual Studio Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists in Git for Visual Studio when it improperly parses configuration files. An attacker who successfully exploited the vulnerability could execute code in the context of another local user. To exploit the vulnerability, an authenticated attacker would need to modify Git configuration files on a system prior to a full installation of the application. The attacker would then need to convince another user on the system to execute specific Git commands. The update addresses the issue by changing the permissions required to edit configuration files.

---

released on July 9, 2019

• Fixed a bug causing Visual Studio 2017 crashes when switching branches.
• Fixed a bug causing internal compiler error (fbtctree.cpp', line 5540) during code analysis.
• Fixed a performance regression in memcpy/memset for Ryzen processors.
• Updated Service Fabric tooling to support the 6.5 Service Fabric release.
• Enabled screen reader to announce TeamExplorer's notifications properly on .NET 4.8.
• VS2017 15.8 Internal compiler error ('msc1.cpp', line 1518): Conflict between preprocessor and #import
• ICE in PREfast 19.16.27023.1 (15.9 RTW).

CVE-2019-1075 ASP.NET Core Spoofing Vulnerability

.NET Core updates have released today and are included in this Visual Studio update. This release addresses security and other important issues. Details can be found in the .NET Core release notes.

CVE-2019-1077 Visual Studio Extension Auto Update Vulnerability

An elevation of privilege vulnerability exists when the Visual Studio Extension auto-update process improperly performs certain file operations. An attacker who successfully exploited this vulnerability could delete files in arbitrary locations. To exploit this vulnerability, an attacker would require unprivileged access to a vulnerable system. The security update addresses the vulnerability by securing locations the Visual Studio Extension auto-update performs file operations in.

CVE-2019-1113 WorkflowDesigner XOML deserialization allows code execution

A XOML file referencing certain types could cause random code to be executed when the XOML file is opened in Visual Studio. There is now a restriction on what types are allowed to be used in XOML files. If a XOML file containing one of the newly unauthorized types is opened, a message is displayed explaining that the type is unauthorized.

For further information, please refer to https://support.microsoft.com/help/4512190/remote-code-execution-vulnerability-if-types-are-specified-in-xoml.

---

released on June 11, 2019

• Fixed a bug that caused Code Analysis to stop running on some C++ projects.
• Fixed a bug in the Schema Compare Tool where adding tables with an empty schema failed but was shown as successful.
• Fixed a TypeScript build issue when the selected language version is lower than the latest installed.
• Fixed a Database unresolved reference to object error.
• Improved performance issues on loading Visual Studio.
• No snapshot created for C++ native code in Memory Usage tool in the Diagnostic Tools window while debugging.
• SSDT adds hardcoded mmsdb and/or master.dacpac path
• SSDT Add reference to System Database: "ArtifactReference" and "HintPath" swapped causing build failure when using MSBuild

---

released on May 14, 2019

• Access violation C++ /CLI 15.9.5 ISO C++ Latest Draft Standard since 15.9.5.
• An error occurred loading this property page (CSS & JSON).
• Visual Studio 2017 crashing when editing package.json.
• Opening package.json locks up Visual Studio.
• PGO Code Gen Bug - Vectorized instruction accessing memory OOB.
• Bad code gen in recursive bucket split routine.
• Compiler optimization bug in 15.8.9.
• Fixed a linker error LNK4020 when using PCH, /Zi, and /GL in distributed build systems, such as IncrediBuild. The C++ compiler backend now correctly associates CIL OBJs with their corresponding compiler generated PDB when generating debug info for cross-module inlining.

CVE-2019-0727 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly performs certain file operations. An attacker who successfully exploited this vulnerability could delete files in arbitrary locations. To exploit this vulnerability, an attacker would require unprivileged access to a vulnerable system. The security update addresses the vulnerability by securing locations the Diagnostics Hub Standard Collector performs file operations in.

---

released on April 02, 2019

• Access violation C++ /CLI 15.9.5 ISO C++ Latest Draft Standard since 15.9.5.
• PGO Code Gen Bug - Vectorized instruction accessing memory OOB.
• Visual Studio completely freezes when editing package.json.
• An error occurred loading this property page (CSS & JSON).
• Clicking on a web app URL in the Azure activity log now successfully publishes a Cloud Service Project.
• You can now publish to a Function app even if you are not logged into the account that contains the function app.
• We have fixed an unhandled exception in the HTML editor.
• We have updated the scaffolding package to install Microsoft.VisualStudio.Web.CodeGeneration.Design package version 2.1.9 for .NET Core 2.1 and version 2.2.3 for .NET Core 2.2.
• We have implemented a C++ compiler fix to correct exception handling support for code using setjmp/longjmp in Release mode.
• We have implemented a C++ linker fix regarding information in PDB where the incorrect module info could result in heap corruption when producing a stripped PDB file either by PDBCopy.exe or by link.exe when option /PDBSTRIPPED is specified.
• We have corrected dual signing of the ARM64 Visual C++ Redistributable installer.

---

released on March 25, 2019

• We have fixed an [issue with debugging using Docker when a web proxy is configured.](https://github.com/Microsoft/DockerTools/issues/600
• In debugging using Docker, you will now experience improved error handling for failures related to drive sharing configuration (for example, expired credentials).

---

released on March 12, 2019

• We have fixed an [issue with deploying resource group projects when a subscription owner's name contains an apostrophe(https://developercommunity.visualstudio.com/content/problem/133475/unable-to-deploy-to-azure-resource-group.html).
• SSDT: We fixed a crash in the SSIS Foreach Loop container.
• A few .NET native for UWP customer issues were fixed in .NET native tools 2.2 (UWP 6.2.4).
• We have corrected dual signing of Visual C++ Redistributable installers.

CVE-2019-9197 Unity Editor Remote Code Execution Vulnerability

A remote code execution vulnerability exists in the Unity Editor, a 3rd party software that Visual Studio offers to install as part of the Game Development with Unity workload. If you've installed Unity from Visual Studio, please make sure to update the version of Unity you're using to a version that addresses the vulnerability as described in the CVE. The Visual Studio installer has been updated to offer to install a Unity Editor version which addresses the vulnerability.

CVE-2019-0809 Visual Studio Remote Code Execution Vulnerability

A remote code execution vulnerability exists when the Visual Studio C++ Redistributable Installer improperly validates input before loading dynamic link library (DLL) files. An attacker who successfully exploited the vulnerability could execute arbitrary code in the context of the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerability, an attacker must place a malicious DLL on a local system and convince a user to execute a specific executable. The security update addresses the vulnerability by correcting how the Visual Studio C++ Redistributable Installer validates input before loading DLL files.

CVE-2019-0757 .NET Core NuGet Tampering Vulnerability

A tampering vulnerability exists in NuGet software when executed in a Linux or Mac environment. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that an attacker can login as any other user on that machine. At that point, the attacker will be able to replace or add to files that were created by a NuGet restore operation in the current users account.

.NET Core updates have released today and are included in this Visual Studio update. The security update addresses the vulnerability by correcting how NuGet restore creates file permissions for all files extracted to the client machine. Details about the packages can be found in the .NET Core release notes.

---

released on March 05, 2019

• ModelBus-enabled text transformation fails on 15.8.
• SSDT: Fix to improve performance of loading solutions with multiple projects.
• Vulnerabilities in the OpenJDK Platform binary.

---

released on February 12, 2019

• Crashes when expanding variables!.
• /DEBUG:FASTLINK + C7 + PCH crashes debugger.
• Native C++ application crashes because of stack corruption with VS 2017 15.9.2.
• Incorrect Release Mode code.
• Xamarin Unobserved Task Exception WebRequest.
• Link /SOURCELINK option seems to do nothing. This fixes Source Link for Managed C++ Debugging.
• Fixed an issue with corruption of AVX/MPX/AVX512 registers while Debugging.
• Update of Microsoft.VCLibs.140.00.UWPDestkop framework packages for C++ UWP DesktopBridge applications adding support for ARM64.
• Corrected incorrect version of VCToolsRedistVersion in Microsoft.VCToolsVersion.default.props.
• Corrected unsigned embedded dll for VC Redist installers.
• SSDT/Web Tools: We fixed an issue where SQL LocalDB was not installed on Polish, Turkish, and Czech locales.
• SSDT: We fixed an issue affecting SQL Server Analysis Services (Method not found exception when clicking on UI)
• SSDT: We fixed an accessibility issue which was causing the contents of a table not to be visible in the result window when using High-Contrast mode.

CVE-2019-0613 WorkflowDesigner XOML deserialization allows code execution

A XOML file referencing certain types could cause random code to be executed when the XOML file is opened in Visual Studio. There is now a restriction on what types are allowed to be used in XOML files. If a XOML file containing one of the newly unauthorized types is opened, a message is displayed explaining that the type is unauthorized.

For further information, please refer to XOML vulnerability documentation

CVE-2019-0657 .NET Framework and Visual Studio Spoofing Vulnerability

.NET Core updates have released today and are included in this Visual Studio update. This release addresses security and other important issues. Details can be found in the .NET Core release notes.

---

released on January 24, 2019

• Installation failures of the Unity Editor component in China
• Starting a new nanoFramework project from a template.
• Deployment errors after VS2017 update.
• Android Deploy failed - Error ADB0010.
• Error in German translation: info bar "session closed unexpectedly".
• Visual Studio 2017 create offline layout problem: Failed to load from stream for non-ENU layouts.
• Extension auto-update can leave extension disabled.

---

released on January 08, 2019

• VSX1000: No enough information has been provided to MSBuild in order to establish a connection to a Remote Server.
• Visual C++ 2017 Redistributable for ARM64 is not available via visualstudio.com.
• VC Runtime Redistributable Update for VS 15.9 deletes Registry Key.This fix may have an increased chance of requiring a reboot of the machine in order to install an updated VC++ Redistributable package.
• Incorrect codegen in managed c++ with List to List assignment.
• Can't connect to mac build host after Visual Studio 15.9.4 update.
• Resource directories missed in incremental builds with AndroidAarLibrary items.
• [Lots of external assembly references - JNI ERROR (app bug): local reference table overflow (max=512.)]((https://github.com/xamarin/xamarin-android/issues/2257)
• The Unity Editor has been updated to 2018.3. For more information, please visit the Unity website.
• SSDT: We enabled SQL projects to build schemas that have non-clustered columnstore indexes on an indexed views.
• SSDT: We fixed a significant performance issue in the schema compare tool when generating a script.
• SSDT: We fixed the schema drift detection logic in the schema compare tool which forced a new comparison to reenable scripting and publishing actions.

CVE-2019-0546 Visual Studio Remote Code Execution Vulnerability A remote code execution vulnerability exists in Visual Studio when the C++ compiler improperly handles specific combinations of C++ constructs. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by correcting how the Visual Studio C++ compiler handles certain C++ constructs.

---

released on December 11, 2018

• Visual Studio 15.9 duplicate loads open files on solution reload.
• All users can now connect to on-premise TFS servers through Team Explorer.
• Visual Studio 15.8.3 no longer expands metadata in ItemDefinitionGroup for project-defined items during GUI builds (worked in Visual Studio 15.8.2).
• Visual Studio has multiple tabs for the same file.
• System.ArgumentException: The parameter is incorrect. (Exception from HRESULT: 0x80070057 (E_INVALIDARG)).
• LNK4099 PDB not found.
• Asset Catalog empty.
• /analyze fails for C++ code using /ZW.
• C++ compiler code optimization bug.
• Xamarin.iOS can't select image asset for Image View.
• iOS projects referencing a shared project containing image assets in an asset catalog fail to load on windows.
• Image not populating on iOS splashscreen in VS 15.8.6.
• Possible bad codegen on union/bitfield assignment in VS2017 15.8.
• Fix C# UWP Store 1201 Submission Issue.
• Fix C# UWP package creation error APPX1101: Payload contains two or more files with the same destination path 'System.Runtime.CompilerServices.Unsafe.dll'.
• Error MT2002: Failed to resolve 'System.Runtime.CompilerServices.AsyncValueTaskMethodBuilder' reference from 'System.Threading.Tasks.Extensions...'" when building a Xamarin.iOS project.
• Redirecting to a relative url doesn't work when using AndroidClientHandler.
• Debug information for typedefs of unnamed enums compiled with the C compiler is now restored.
• The spectre-mitigated x86 version of delayimp.lib is now built with /Qspectre mitigations enabled.
• Changes were made to how Asset Catalogs in Xamarin.iOS projects are loaded in order to reduce solution load time.
• We have updated Xamarin.Forms templates to use the latest version.
• We have fixed an issue with ASP.NET Core Web Applications being debugged through Kestrel that would show the error message "Unable to configure HTTPS endpoint. No server certificate was specified...".
• Enabling the AppInsights site extension in App Service from Visual Studio now happens through the use of specific Application Settings.

CVE-2018-8599 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles certain file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. To exploit this vulnerability, an attacker would require unprivileged access to a vulnerable system. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Services properly impersonates file operations.

---

released on November 28, 2018

• Visual Studio 15.9 - duplicate loads open files on solution reload.
• Issues with reloading and IntelliSense with Unity projects and Visual Studio 2017 15.9.x.

---

released on November 19, 2018

• MFC EXE (binary) size is 5 times bigger in VS 15.8 (_MSC_VER = 1915).
• Key 'OPENSSH' is not supported.
• Windows magnifier can no longer track keyboard cursor.
• Analysis fails with immediately-invoked lamba in while loop.
• Xamarin iOS designer not working with 15.9 and Xamarin.iOS 12.2.1.10.
• We improved the reliability of incremental linking for large C++ projects.
• LNK2001 "unresolved external symbol" errors for certain vector deleting destructors will now be resolved.
• Compiler execution time has been improved for code that makes heavy use of chained, inline functions involving lambdas or local classes as parameter or return types.

---

released on November 15, 2018

• Fixed a bug where Visual Studio would fail to build projects using the Microsoft Xbox One XDK.

The Windows 10 October 2018 Update SDK (build 17763) is now the default selected SDK for the Universal Windows Platform development workload.

---

• You can now import and export an installation configuration file that specifies which workloads and components should be installed with an instance of Visual Studio.
• We have improved the debugging experience for NuGet packages using the new symbol package format (.snupkg).
• Step back in debugger is now available in C++ for Enterprise customers.
• C++ IntelliSense now responds to changes in the remote environment for both CMake and MSBuild projects targeting Linux.
• We have made updates to UWP Desktop Bridge framework packages and added support for ARM64 C++ Native Desktop scenarios.
• We added support for the range-v3 library with the MSVC 15.9 compiler.
• We fixed several bugs in the F# compiler and F# tools.
• Language service support for new TypeScript features for semantic file renaming and project references.
• Improved Node.js development by updating Vue.js templates and adding support for unit testing using the Jest framework.
• We added SharePoint 2019 project templates, so you can migrate existing SharePoint 2013 and 2016 projects to SharePoint 2019.
• Visual Studio Tools for Xamarin now supports Xcode 10.
• We made improvements to the Xamarin.Android build performance.
• We have added and improved features for Universal Windows Platform developers, including ARM64 support, the latest preview SDK, better debugging of Desktop Bridge applications, and XAML Designer improvements.
• Substantial improvements were made to the experience of using authenticated package feeds.
• There is now support for lock file to enable repeatable restore for PackageReference based projects.
• We have added support for the new license format for NuGet packages.
• We have introduced NuGet client policies in Visual Studio which enables you to lock down environments such that only trusted packages can be installed.
• We made the use of .NET Core within Visual Studio more predictable.

• No way to change "Find All References" background color.
• "Visual C++ Resource Editor Package" load failed.
• VS2017 v15.8 Build does not start if XAML files are not manually saved first.
• Installation failed - manifest signature verification failed.
• Update 15.8.6 breaks Installer Projects.
• Scrolling up with the arrow key causes Visual Studio to page up.
• After updating to 15.8.1, data tip does not show when debugging.
• System.InvalidProgramException: Common Language Runtime detected an invalid program.
• Solution Explorer does not remain pinned after closing Visual Studio.
• Navigation bar in editor has trouble handling long method names.
• Editor Package load failure error on startup of Blend.

See all customer-reported issues fixed in Visual Studio 2017 version 15.9.

The Developer Community Portal

---

released on November 13, 2018

We made it easier to keep your installation settings consistent across multiple installations of Visual Studio. You can now use the Visual Studio Installer to export a .vsconfig file for a given instance of Visual Studio. This file will contain information about what workloads and components you have installed. You can then import this file to add these workload and component selections to another installation of Visual Studio.

We have added support for consuming the new portable-pdb based symbol package format (.snupkg). We have added tooling to make it easy to consume and manage these symbol packages from sources like the NuGet.org symbol server.

• We've added the "step back" feature in the debugger for C++ in the Visual Studio Enterprise Edition. Step back enables you to go back in time to view the state of your application at a previous point in time.
• C++ IntelliSense now responds to changes in the remote environment for both CMake and MSBuild projects targeting Linux. As you install new libraries or change your CMake projects, C++ IntelliSense will automatically parse the new headers files on the remote machine for a complete and seamless C++ editing experience.
• We've updated the UWP Desktop Bridge framework packages to match the latest in the Windows Store for all supported architectures, including ARM64.
• In addition to fixing 60 blocking bugs, we have added support for the range-v3 library with the MSVC 15.9 compiler, available under /std:c++17 /permissive-.
• The retail VCLibs framework package in Visual Studio has been updated to match the latest available version in the UWP Store.
• Full support is now available for ARM64 C++ Native Desktop scenarios, including VC++ 2017 Redistributable.
• We implemented the shortest round-trip decimal overloads of floating-point to_chars() in C++17's charconv header. For scientific notation, it is approximately 10x as fast as sprintf_s() "%.8e" for floats, and 30x as fast as sprintf_s() "%.16e" for doubles. This uses Ulf Adams' new algorithm, Ryu.
• A list of improvements to the standards conformance of the Visual C++ compiler, which potentially require source changes in strict conformance mode, can be found here.
• We have deprecated the C++ Compiler /Gm switch. Consider disabling the /Gm switch in your build scripts if it's explicitly defined. Alternatively, you can also safely ignore the deprecation warning for /Gm as it will not be treated as error when using "Treat warnings as errors" (/WX).

• We fixed a bug where extension methods that take byref values could mutate an immutable value.
• We improved the compile error information for overloads on byref/inref/outref, rather than displaying the previously obscure error.
• Optional Type Extensions on byrefs are now disallowed entirely. They could be declared previously, but were unusable, resulting in a confusing user experience.
• We fixed a bug where CompareTo on a struct tuple and causing a type equivalence with an aliased struct tuple would result in a runtime exception.
• We fixed a bug where use of System.Void in the context of authoring a Type Provider for .NET Standard could fail to find the System.Void type at design-time.
• We fixed a bug where an internal error could occur when a partially applied Discriminated Union constructor is mismatched with an annotated or inferred type for the Discriminated Union.
• We modified the compiler error message when attempting to take an address of an expression (such as accessing a property) to make it more clear that it violates scoping rules for byref types.
• We fixed a bug where your program could crash at runtime when partially applying a byref type to a method or function. An error message will now display.
• We fixed an issue where an invalid combination of a byref and a reference type (such as byref<int> option) would fail at runtime and not emit an error message. We now emit an error message.

• We resolved an issue where metadata for F# assemblies built with the .NET Core SDK was not shown in file properties on Windows. You can now see this metadata by right-clicking an assembly on Windows and selecting Properties.
• We fixed a bug where use of module global in F# source could cause Visual Studio to become unresponsive.
• We fixed a bug where extension methods using inref<'T> would not show in completion lists.
• We fixed a bug where the TargetFramework dropdown in Project Properties for .NET Framework F# projects was empty.
• We fixed a bug where creating a new F# project targeting .NET Framework 4.0 would fail.

The VisualFSharpFull project is now set as the default startup project, eliminating the need to manually set that before debugging. Thanks, Robert Jeppesen!

• We added refactoring to fix up references to a file after it has been renamed. We also added support for project references, letting you split your TypeScript project up into separate builds that reference each other.
• We updated to the latest Vue CLI 3.0 and improved linting in Vue.js template files. You can also write and run unit tests using the Jest framework.
• We have added support for TypeScript 3.1.

We added new templates that allow you to create projects for SharePoint 2019. You will have the ability to migrate existing SharePoint projects from both SharePoint 2013 and SharePoint 2016 to the new project template.

Visual Studio Tools for Xamarin now supports Xcode 10, which allows you to build and debug apps for iOS 12, tvOS 12, and watchOS 5. See how to get ready for iOS 12and our introduction to iOS 12for more details on the new features available.

Xamarin.Android 9.1 includes initial build performance improvements. See our Xamarin.Android 15.8 vs. 15.9 build performance comparison for more details.

• The latest Windows 10 SDK (build 17763) is included as an optional component in the Universal Windows Platform development Workload.
• We added support for creating .MSIX packages for both the Universal Windows Platform projects, as well as in the Windows Application Packaging Project template. To create an .MSIX package, the minimum version of your application must be the latest Windows 10 SDK (build 17763).
• You can now build ARM64 UWP applications. For .NET UWP applications, only .NET Native is supported for ARM64, and you must set the Minimum Version of your application to the Fall Creators Update (Build 16299) or higher.
• We made improvements to the F5 (Build + Deploy) speed for Universal Windows Platform applications. This will be most noticeable for deployments to remote targets using Windows authentication, but will impact all other deployments as well.
• Developers now have the option to specify Control Display Options when using the XAML Designer while building UWP applications targeting the Windows 10 Fall Creators Update (build 16299) or later. Selecting "Only Display Platform Controls" prevents the designer from executing any custom control code to improve reliability of the designer.
• The XAML designer now automatically replaces controls that throw with catchable exceptions with fallback controls, rather than having the designer crash. Fallback controls have a yellow border to cue in developers that the control has been replaced at design time.
• The Windows Application Packaging project now supports debugging background process using the Core CLR debugger type.

This release substantially improves the experience of using authenticated package feeds, especially for Mac and Linux users:

• Visual Studio, MSBuild, NuGet.exe, and .NET now support a new Credential Provider plugin interface, which can be implemented by private package hosts like Azure Artifacts. Previously, only NuGet.exe and Visual Studio accepted Credential Providers.
• Visual Studio editions (including the Build Tools edition) now deliver the Azure Artifacts Credential Provider with certain workloads, so that you can easily use Azure Artifacts feeds in the course of your development. To use these improvements, install the NuGet package manager or NuGet targets and build tasks components, or the .NET Core workload.

• NuGet now enables locking the full package closure of PackageReference based projects, thereby enabling repeatable restore of packages.
• The Visual Studio NuGet package manager UI now surfaces the license information for packages that use the new license format. The new license format embeds the license information as part of the package in the form of an SPDX expression or a license file.

We have introduced NuGet Client Policies which allow you to configure package security constraints. This means you can lock down environments so only trusted packages can be installed by:

• Disallowing the installation of unsigned packages.
• Defining a list of trusted signers based on the author signature.
• Defining a list of trusted NuGet.org package owners based on the metadata in the repository signature.

Starting with this release, the .NET Core tools for Visual Studio will now default to using only the latest stable version of a .NET Core SDK that is installed on your machine for GA releases of Visual Studio. For future previews, the tools will use only preview .NET Core SDKs.

---

See all customer-reported issues fixed in Visual Studio 2017 version 15.9.

The Developer Community Portal

---

See all existing known issues and available workarounds in Visual Studio 2017 version 15.9.

Visual Studio 2017 Known Issues

---

We would love to hear from you! For issues, let us know through the Report a Problem option in the upper right-hand corner of either the installer or the Visual Studio IDE itself. The icon is located in the upper right-hand corner. You can make a product suggestion or track your issues in the Visual Studio Developer Community, where you can ask questions, find answers, and propose new features. You can also get free installation help through our Live Chat support.

---

Take advantage of the insights and recommendations available in the Developer Tools Blogs site to keep you up-to-date on all new releases and include deep dive posts on a broad range of features.

---

For more information relating to past versions of Visual Studio 2017, see the Visual Studio 2017 Release Notes History page.

---

Top of Page