I'm getting alerts from our vulnerability scanner about old versions of .NET and Visual C++ runtimes. I'm trying to figure out which ones can safely be removed since I know they're not backwards compatible. I suspect that many of them aren't even necessary. Is there a way to determine if a specific runtime is needed for any installed software? I've heard that certain programs include a header in their executable that specifies the required .NET version, but that would mean scanning all the executables on our machines. I attempted to create a tool to detect .NET versions, but it didn't extend to C++ runtimes. I'm starting to think that the only reliable approach is to inventory all the software used by our clients and check their runtime dependencies. Any advice would be appreciated!
3 Answers
We've faced this challenge as well. For endpoints, we cataloged the software and checked installers for old .NET or VC++ versions. We had success using a PowerShell script to remove older runtimes like 2005 to 2013 without many issues. Certain apps, particularly Dymo label writer software and some banking applications, have posed challenges, but most vendors confirmed their newer apps functioned with current runtimes. For servers, it's trickier—sometimes developers hard-code specific versions which complicates updates. It’s a big task, so consider a 'scream test' approach if you need to!
It's crucial to keep required runtimes as dependencies for your applications. Each app will seek out a specific version it needs to function.
.NET runtimes are mostly backwards compatible, but you can definitely trim down old versions. Versions 1.0 and 1.1 are end-of-support, so those should go. Versions 2.0 to 3.5 are supported until 2029, so just updating to the latest 3.5 makes sense. For 4.x, stick to the latest 4.x to avoid problems. Just be cautious with .NET Core and newer versions, as specific minor versions may be mandated by some developers, which can be annoying. If you're paying for software that does that, definitely reach out to the developers! C++ runtimes can be a wild card by themselves.
Yeah, I was wondering about when we'll see the new .NET versions come out!
Thanks for breaking that down! I think we’ll take the approach of uninstalling runtimes one client at a time and be ready to reinstall the latest version when needed.