12 C
London
Saturday, September 23, 2017

MS16-153 – Important: Security Update for Common Log File System Driver...

The following software versions or editions are affected.
Versions or editions that are not listed are either past their support life cycle or are not affected.

To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.The following severity ratings assume the potential maximum impact of the vulnerability.

For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the December bulletin summary.Note: Please see the Security Update Guide for a new approach to consuming the security update information. You can customize your views and create affected software spreadsheets, as well as download data via a restful API.

For more information, please see the Security Updates Guide FAQ.

As a reminder, the Security Updates Guide will be replacing security bulletins as of February 2017. Please see our blog post, Furthering our commitment to security updates, for more details.[1]Beginning with the October 2016 release, Microsoft is changing the update servicing model for Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 and Windows Server 2016.

For more information, please see this Microsoft TechNet article.[3]Windows 10 updates are cumulative.

The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates.

The update is available via the Windows Update Catalog. Please note that effective December 13, 2016, Windows 10 and Windows Server 2016 details for the Cumulative Updates will be documented in Release Notes. Please refer to the Release Notes for OS Build numbers, Known Issues, and affected file list information.Note The vulnerability discussed in this bulletin affects Windows Server 2016 Technical Preview 5.

Although an update is available for Windows Server 2016 Technical Preview 5 via Windows Update, Microsoft recommends that customers upgrade to Window Server 2016 at your earliest convenience. *The Updates Replaced column shows only the latest update in any chain of superseded updates.

For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).

MS16-144 – Critical: Cumulative Security Update for Internet Explorer (3204059) –...

Multiple Information Disclosure Vulnerabilities Information disclosure vulnerabilities exist in the way that the affected components handle objects in memory.

An attacker who successfully exploited these vulnerabilities could obtain information to further compromise a target system. In a web-based attack scenario an attacker could host a website in an attempt to exploit the vulnerabilities.

Additionally, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could be used to exploit the vulnerabilities. However, in all cases an attacker would have no way to force users to view attacker-controlled content.
Instead, an attacker would have to convince users to take action.

For example, an attacker could trick users into clicking a link that takes them to the attacker's site. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Windows Hyperlink Object Library Information Disclosure Vulnerability CVE-2016-7278 No No Microsoft Browser Information Disclosure Vulnerability CVE-2016-7282 Yes No Internet Explorer Information Disclosure Vulnerability CVE-2016-7284 No No Mitigating Factors Microsoft has not identified any mitigating factors for these vulnerabilities. Workarounds Microsoft has not identified any workarounds for these vulnerabilities. Multiple Microsoft Browser Memory Corruption Vulnerabilities Remote code execution vulnerabilities exist when Microsoft Browsers improperly accesses objects in memory.

These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user.
If the current user is logged on with administrative user rights, the attacker could take control of an affected system.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker could host a specially crafted website that is designed to exploit these vulnerabilities through Microsoft browsers, and then convince a user to view the website.

The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit these vulnerabilities.
In all cases, however, an attacker would have no way to force users to view the attacker-controlled content.
Instead, an attacker would have to convince users to take action, typically by an enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. The update addresses these vulnerabilities by modifying how Internet Explorer handles objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Microsoft Browser – Memory Corruption Vulnerability CVE-2016-7279 No No Internet Explorer Memory Corruption Vulnerability CVE-2016-7283 No No Mitigating Factors Microsoft has not identified any mitigating factors for these vulnerabilities. Workarounds Microsoft has not identified any workarounds for these vulnerabilities. Microsoft Browser Security Feature Bypass Vulnerability A security feature bypass vulnerability exists when the Microsoft browsers fail to correctly apply Same Origin Policy for scripts running inside Web Workers. An attacker could trick a user into loading a page with malicious content.

To exploit this vulnerability, an attacker would need to trick a user into loading a page or visiting a site.

The page could also be injected into a compromised site or ad network. The update addresses the vulnerability by correcting the Same Origin Policy check for scripts running inside Web Workers. The following table contains links to the standard entry for the vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Microsoft Browser Security Feature Bypass Vulnerability CVE-2016-7281 Yes No Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds Microsoft has not identified any workarounds for this vulnerability. Multiple Scripting Engine Memory Corruption Vulnerabilities Multiple remote code execution vulnerabilities exist in the way affected Microsoft scripting engines render when handling objects in memory in Microsoft browsers.

The vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user.
If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerabilities could take control of an affected system.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerabilities through a Microsoft browser and then convince a user to view the website.

An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the Edge rendering engine.

The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements.

These websites could contain specially crafted content that could exploit the vulnerabilities. The security update addresses the vulnerabilities by modifying how the affected Microsoft scripting engines handle objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Scripting Engine Memory Corruption Vulnerability CVE-2016-7202 Yes No Scripting Engine Memory Corruption Vulnerability CVE-2016-7287 No No Mitigating Factors Microsoft has not identified any mitigating factors for these vulnerabilities. Workarounds Microsoft has not identified any workarounds for these vulnerabilities.

MS16-140 – Important: Security Update for Boot Manager (3193479) – Version:...

Security Update for Boot Manager (3193479)Published: November 8, 2016 | Updated: December 13, 2016Version: 2.0This security update resolves a vulnerability in Microsoft Windows.

The vulnerability could allow security feature bypass if a physically-present attacker installs an affected boot policy.This security update is rated Important for all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.

For more information, see the Affected Software and Vulnerability Severity Ratings section.The security update addresses the vulnerability by revoking affected boot policies in the firmware.

For more information about the vulnerability see the Vulnerability Information section.For more information about this update, see Microsoft Knowledge Base Article 3193479.The following software versions or editions are affected.
Versions or editions that are not listed are either past their support life cycle or are not affected.

To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.The following severity ratings assume the potential maximum impact of the vulnerability.

For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the November bulletin summary.[1]This update is only available via Windows Update.[2]Windows 10 updates are cumulative.

The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates.

The updates are available via the Microsoft Update Catalog.[3]Beginning with the October 2016 release, Microsoft is changing the update servicing model for Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2.

For more information, please see this Microsoft TechNet article.*The Updates Replaced column shows only the latest update in any chain of superseded updates.

For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).Note The vulnerability discussed in this bulletin affects Windows Server 2016 Technical Preview 5.

To be protected from the vulnerability, Microsoft recommends that customers running this operating system apply the current update, which is available from Windows Update. Secure Boot Component Vulnerability – CVE-2016-7247A security feature bypass vulnerability exists when Windows Secure Boot improperly loads a boot policy that is affected by the vulnerability.

An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded onto a target device.The security update addresses the vulnerability by revoking affected boot policies in the firmware.

The revocation protection level depends upon platform firmware.

The Windows event channel Microsoft-Windows-Kernel-Boot may be used to determine the protection level provided. Note that an additional reboot is needed to view the event:Windows versions prior to Windows 10 do not log the event by default. You must enable “analytic” logging for this channel prior to installation of the patch.Windows versions 10 and higher log the event by default.

Event ID 155 indicates baseline protection.

Event ID 154 indicates enhanced protection.For systems that provide baseline protection, firmware updates from your OEM may be available which upgrade systems to enhanced protection.

The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Secure Boot Component Vulnerability CVE-2016-7247 No No Mitigating Factors Microsoft has not identified any mitigating factor for this vulnerability.WorkaroundsMicrosoft has not identified any workarounds for this vulnerability.For Security Update Deployment information see the Microsoft Knowledge Base article referenced here in the Executive Summary.Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure.
See Acknowledgments for more information.The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose.
In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.V1.0 (November 8, 2016): Bulletin published. V1.1 (November 23, 2016) Revised bulletin to announce a detection change for certain servers running Windows Servers 2012, Windows Server 2012 R2, and Windows Server 2016.

Affected servers will not automatically receive the security update.

For more information about the servers affected by this detection change, see Knowledge Base Article 3193479. V2.0 (December 13, 2016): Revised bulletin to announce the following updates have been rereleased with a detection change that addresses a supersedence issue that certain customers experienced when attempting to install the November Security Only updates. These are detection changes only.

There were no changes to the update files.

Customers who have already successfully installed any of these updates do not need to take any action.

For more information, see the Microsoft Knowledge Base article for the respective update. Page generated 2016-12-12 11:24-08:00.

MS16-135 – Important: Security Update for Windows Kernel-Mode Drivers (3199135) –...

The following software versions or editions are affected.
Versions or editions that are not listed are either past their support life cycle or are not affected.

To determine the support life cycle for your software version or edition, see Microsoft Sup...

MS16-NOV – Microsoft Security Bulletin Summary for November 2016 – Version:...

The following tables list the bulletins in order of major software category and severity.Use these tables to learn about the security updates that you may need to install. You should review each software program or component listed to see whether any security updates pertain to your installation.
If a software program or component is listed, then the severity rating of the software update is also listed.Note You may have to install several security updates for a single vulnerability. Review the whole column for each bulletin identifier that is listed to verify the updates that you have to install, based on the programs or components that you have installed on your system. Windows Vista Bulletin Identifier MS16-129 MS16-130 MS16-131 MS16-132 Aggregate Severity Rating None Critical Critical Important Windows Vista Service Pack 2 Not applicable Windows Vista Service Pack 2(3193418)(Important)Windows Vista Service Pack 2(3196718)(Critical) Windows Vista Service Pack 2(3198218)(Critical) Windows Vista Service Pack 2(3203859)(Important) Windows Vista x64 Edition Service Pack 2 Not applicable Windows Vista x64 Edition Service Pack 2(3193418)(Important)Windows Vista x64 Edition Service Pack 2(3196718)(Critical) Windows Vista x64 Edition Service Pack 2(3198218)(Critical) Windows Vista x64 Edition Service Pack 2(3203859)(Important) Windows Server 2008 Bulletin Identifier                                                  MS16-129 MS16-130 MS16-131 MS16-132 Aggregate Severity Rating None Critical None Important Windows Server 2008 for 32-bit Systems Service Pack 2 Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2(3193418)(Important)Windows Server 2008 for 32-bit Systems Service Pack 2(3196718)(Critical) Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2(3203859)(Important) Windows Server 2008 for x64-based Systems Service Pack 2 Not applicable Windows Server 2008 for x64-based Systems Service Pack 2(3193418)(Critical)Windows Server 2008 for x64-based Systems Service Pack 2(3196718)(Critical) Not applicable Windows Server 2008 for x64-based Systems Service Pack 2(3203859)(Important) Windows Server 2008 for Itanium-based Systems Service Pack 2 Not applicable Windows Server 2008 for Itanium-based Systems Service Pack 2(3193418)(Important)Windows Server 2008 for Itanium-based Systems Service Pack 2(3196718)(Critical) Not applicable Windows Server 2008 for Itanium-based Systems Service Pack 2(3203859)(Important) Windows 7 Bulletin Identifier                                                  MS16-129 MS16-130 MS16-131 MS16-132 Aggregate Severity Rating None Critical Critical Critical Windows 7 for 32-bit Systems Service Pack 1Security Only Not applicable Windows 7 for 32-bit Systems Service Pack 1(3197867)(Critical) Windows 7 for 32-bit Systems Service Pack 1(3197867)(Critical) Windows 7 for 32-bit Systems Service Pack 1(3197867)(Critical) Windows 7 for 32-bit Systems Service Pack 1Monthly Roll Up Not applicable Windows 7 for 32-bit Systems Service Pack 1(3197868)(Critical) Windows 7 for 32-bit Systems Service Pack 1(3197868)(Critical) Windows 7 for 32-bit Systems Service Pack 1(3197868)(Critical) Windows 7 for x64-based Systems Service Pack 1Security Only Not applicable Windows 7 for x64-based Systems Service Pack 1(3197867)(Critical) Windows 7 for x64-based Systems Service Pack 1(3197867)(Critical) Windows 7 for x64-based Systems Service Pack 1(3197867)(Critical) Windows 7 for x64-based Systems Service Pack 1Monthly Roll Up Not applicable Windows 7 for x64-based Systems Service Pack 1(3197868)(Critical) Windows 7 for x64-based Systems Service Pack 1(3197868)(Critical) Windows 7 for x64-based Systems Service Pack 1(3197868)(Critical) Windows Server 2008 R2 Bulletin Identifier                                                  MS16-129 MS16-130 MS16-131 MS16-132 Aggregate Severity Rating None Critical None Critical Windows Server 2008 R2 for x64-based Systems Service Pack 1Security Only Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1(3197867)(Critical) Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1(3197867)(Critical) Windows Server 2008 R2 for x64-based Systems Service Pack 1Monthly Roll Up Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1(3197868)(Critical) Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1(3197868)(Critical) Windows Server 2008 R2 for Itanium-based Systems Service Pack 1Security Only Not applicable Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3197867)(Critical) Not applicable Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3197867)(Critical) Windows Server 2008 R2 for Itanium-based Systems Service Pack 1Monthly Rollup Not applicable Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3197868)(Critical) Not applicable Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3197868)(Critical) Windows 8.1 Bulletin Identifier                                                  MS16-129 MS16-130 MS16-131 MS16-132 Aggregate Severity Rating None Critical Critical Critical Windows 8.1 for 32-bit SystemsSecurity Only Not applicable Windows 8.1 for 32-bit Systems(3197873)(Critical) Windows 8.1 for 32-bit Systems(3197873)(Important) Windows 8.1 for 32-bit Systems(3197873)(Critical) Windows 8.1 for 32-bit SystemsMonthly Roll Up Not applicable Windows 8.1 for 32-bit Systems(3197874)(Critical) Windows 8.1 for 32-bit Systems(3197874)(Important) Windows 8.1 for 32-bit Systems(3197874)(Critical) Windows 8.1 for x64-based SystemsSecurity Only Not applicable Windows 8.1 for x64-based Systems(3197873)(Critical) Windows 8.1 for x64-based Systems(3197873)(Important) Windows 8.1 for x64-based Systems(3197873)(Critical) Windows 8.1 for x64-based SystemsMonthly Roll Up Not applicable Windows 8.1 for x64-based Systems(3197874)(Critical) Windows 8.1 for x64-based Systems(3197874)(Important) Windows 8.1 for x64-based Systems(3197874)(Critical) Windows Server 2012 and Windows Server 2012 R2 Bulletin Identifier                                                  MS16-129 MS16-130 MS16-131 MS16-132 Aggregate Severity Rating None Critical None Critical Windows Server 2012Security Only Not applicable Windows Server 2012(3197876)(Critical) Not applicable Windows Server 2012(3197876)(Critical) Windows Server 2012Monthly Roll Up Not applicable Windows Server 2012(3197877)(Critical) Not applicable Windows Server 2012(3197877)(Critical) Windows Server 2012 R2Security Only Not applicable Windows Server 2012 R2(3197873)(Critical) Not applicable Windows Server 2012 R2(3197873)(Critical) Windows Server 2012 R2Monthly Roll Up Not applicable Windows Server 2012 R2(3197874)(Critical) Not applicable Windows Server 2012 R2(3197874)(Critical) Windows RT 8.1 Bulletin Identifier                                                  MS16-129 MS16-130 MS16-131 MS16-132 Aggregate Severity Rating None Critical Critical Important Windows RT 8.1Monthly Roll Up Not applicable Windows RT 8.1(3197874)(Critical) Windows RT 8.1(3197874)(Critical) Windows RT 8.1(3197874)(Important) Windows 10 Bulletin Identifier                                                  MS16-129 MS16-130 MS16-131 MS16-132 Aggregate Severity Rating Critical Critical Critical Important Windows 10 for 32-bit Systems Windows 10 for 32-bit Systems(3198585)(Critical) Windows 10 for 32-bit Systems(3198585)(Critical) Windows 10 for 32-bit Systems(3198585)(Critical) Windows 10 for 32-bit Systems(3198585)(Important) Windows 10 for 32-bit Systems(3198585) Windows 10 for x64-based Systems(3198585)(Critical) Windows 10 for x64-based Systems(3198585)(Critical) Windows 10 for x64-based Systems(3198585)(Critical) Windows 10 for x64-based Systems(3198585)(Important) Windows 10 for x64-based Systems(3198585) Windows 10 Version 1511 for 32-bit Systems(3198586)(Critical) Windows 10 Version 1511 for 32-bit Systems(3198586)(Critical) Windows 10 Version 1511 for 32-bit Systems(3198586)(Critical) Windows 10 Version 1511 for 32-bit Systems(3198586)(Important) Windows 10 Version 1511 for 32-bit Systems(3198586) Windows 10 Version 1511 for x64-based Systems(3198586)(Critical) Windows 10 Version 1511 for x64-based Systems(3198586)(Critical) Windows 10 Version 1511 for x64-based Systems(3198586)(Critical) Windows 10 Version 1511 for x64-based Systems(3198586)(Important) Windows 10 Version 1511 for x64-based Systems(3198586) Windows 10 Version 1607 for 32-bit Systems(3200970)(Critical) Windows 10 Version 1607 for 32-bit Systems(3200970)(Critical) Windows 10 Version 1607 for 32-bit Systems(3200970)(Critical) Windows 10 Version 1607 for 32-bit Systems(3200970)(Important) Windows 10 Version 1607 for 32-bit Systems(3200970) Windows 10 Version 1607 for x64-based Systems(3200970)(Critical) Windows 10 Version 1607 for x64-based Systems(3200970)(Critical) Windows 10 Version 1607 for x64-based Systems(3200970)(Critical) Windows 10 Version 1607 for x64-based Systems(3200970)(Important) Windows Server 2016 Bulletin Identifier                                                  MS16-129 MS16-130 MS16-131 MS16-132 Aggregate Severity Rating None Critical None Critical Windows Server 2016 for x64-based Systems Not applicable Windows Server 2016 for x64-based Systems(3200970)(Critical) Not applicable Windows Server 2016 for x64-based Systems(3200970)(Critical) Server Core installation option Bulletin Identifier                                                  MS16-129 MS16-130 MS16-131 MS16-132 Aggregate Severity Rating None Critical None Critical Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation) Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)(3193418)(Important)Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)(3196718)(Critical) Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)(3203859)(Important) Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation) Not applicable Windows Server 2008 for x86-bit Systems Service Pack 2 (Server Core installation)(3193418)(Important)Windows Server 2008 for x86-bit Systems Service Pack 2 (Server Core installation)(3196718)(Critical) Not applicable Windows Server 2008 for x86-bit Systems Service Pack 2 (Server Core installation)(3203859)(Important) Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)Security Only Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(3197867)(Critical) Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(3197867)(Critical) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Monthly Rollup Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(3197868)(Critical) Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(3197868)(Critical) Windows Server 2012(Server Core installation)Security Only Not applicable Windows Server 2012 (Server Core installation)(3197876)(Critical) Not applicable Windows Server 2012 (Server Core installation)(3197876)(Critical) Windows Server 2012(Server Core installation)Monthly Rollup Not applicable Windows Server 2012 (Server Core installation)(3197877)(Critical) Not applicable Windows Server 2012 (Server Core installation)(3197877)(Critical) Windows Server 2012 R2(Server Core installation)Security Only Not applicable Windows Server 2012 R2 (Server Core installation)(3197873)(Critical) Not applicable Windows Server 2012 R2 (Server Core installation)(3197873)(Critical) Windows Server 2012 R2(Server Core installation)Monthly Rollup Not applicable Windows Server 2012 R2 (Server Core installation)(3197874)(Critical) Not applicable Windows Server 2012 R2 (Server Core installation)(3197874)(Critical) Windows Server 2016 for x64-based Systems(Server Core installation) Not applicable Windows Server 2016 for x64-based Systems (Server Core installation)(3200970)(Critical) Not applicable Windows Server 2016 for x64-based Systems (Server Core installation)(3200970)(Critical) Windows Vista Bulletin Identifier                                                  MS16-134 MS16-135 MS16-137 MS16-138 MS16-139 Aggregate Severity Rating Important Important Important None Important Windows Vista Service Pack 2 Windows Vista Service Pack 2(3181707)(Important) Windows Vista Service Pack 2(3198234)(Important)Windows Vista Service Pack 2(3194371)(Important) Windows Vista Service Pack 2(3198510)(Important) Not applicable Windows Vista Service Pack 2(3198483)(Important) Windows Vista x64 Edition Service Pack 2 Windows Vista x64 Edition Service Pack 2(3181707)(Important) Windows Vista x64 Edition Service Pack 2(3198234)(Important)Windows Vista x64 Edition Service Pack 2(3194371)(Important) Windows Vista x64 Edition Service Pack 2(3198510)(Important) Not applicable Windows Vista x64 Edition Service Pack 2(3198483)(Important) Windows Server 2008 Bulletin Identifier                                                  MS16-134 MS16-135 MS16-137 MS16-138 MS16-139 Aggregate Severity Rating Important Important Important None Important Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2(3181707)(Important) Windows Server 2008 for 32-bit Systems Service Pack 2(3198234)(Important)Windows Server 2008 for 32-bit Systems Service Pack 2(3194371)(Important) Windows Server 2008 for 32-bit Systems Service Pack 2(3198510)(Important) Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2(3198483)(Important) Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2(3181707)(Important) Windows Server 2008 for x64-based Systems Service Pack 2(3198234)(Important)Windows Server 2008 for x64-based Systems Service Pack 2(3194371)(Important) Windows Server 2008 for x64-based Systems Service Pack 2(3198510)(Important) Not applicable Windows Server 2008 for x64-based Systems Service Pack 2(3198483)(Important) Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2(3181707)(Important) Windows Server 2008 for Itanium-based Systems Service Pack 2(3198234)(Important)Windows Server 2008 for Itanium-based Systems Service Pack 2(3194371)(Important) Windows Server 2008 for Itanium-based Systems Service Pack 2(3198510)(Important) Not applicable Windows Server 2008 for Itanium-based Systems Service Pack 2(3198483)(Important) Windows 7 Bulletin Identifier                                                  MS16-134 MS16-135 MS16-137 MS16-138 MS16-139 Aggregate Severity Rating Important Important Important None Important Windows 7 for 32-bit Systems Service Pack 1Security Only Windows 7 for 32-bit Systems Service Pack 1(3197867)(Important) Windows 7 for 32-bit Systems Service Pack 1(3197867)(Important) Windows 7 for 32-bit Systems Service Pack 1(3197867)(Important) Not applicable Windows 7 for 32-bit Systems Service Pack 1(3197867)(Important) Windows 7 for 32-bit Systems Service Pack 1Monthly Roll Up Windows 7 for 32-bit Systems Service Pack 1(3197868)(Important) Windows 7 for 32-bit Systems Service Pack 1(3197868)(Important) Windows 7 for 32-bit Systems Service Pack 1(3197868)(Important) Not applicable Windows 7 for 32-bit Systems Service Pack 1(3197868)(Important) Windows 7 for x64-based Systems Service Pack 1Security Only Windows 7 for x64-based Systems Service Pack 1(3197867)(Important) Windows 7 for x64-based Systems Service Pack 1(3197867)(Important) Windows 7 for x64-based Systems Service Pack 1(3197867)(Important) Not applicable Windows 7 for x64-based Systems Service Pack 1(3197867)(Important) Windows 7 for x64-based Systems Service Pack 1Monthly Roll Up Windows 7 for x64-based Systems Service Pack 1(3197868)(Important) Windows 7 for x64-based Systems Service Pack 1(3197868)(Important) Windows 7 for x64-based Systems Service Pack 1(3197868)(Important) Not applicable Windows 7 for x64-based Systems Service Pack 1(3197868)(Important) Windows Server 2008 R2 Bulletin Identifier                                                  MS16-134 MS16-135 MS16-137 MS16-138 MS16-139 Aggregate Severity Rating Important Important Important None Important Windows Server 2008 R2 for x64-based Systems Service Pack 1Security Only Windows Server 2008 R2 for x64-based Systems Service Pack 1(3197867)(Important) Windows Server 2008 R2 for x64-based Systems Service Pack 1(3197867)(Important) Windows Server 2008 R2 for x64-based Systems Service Pack 1(3197867)(Important) Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1(3197867)(Important) Windows Server 2008 R2 for x64-based Systems Service Pack 1Monthly Roll Up Windows Server 2008 R2 for x64-based Systems Service Pack 1(3197868)(Important) Windows Server 2008 R2 for x64-based Systems Service Pack 1(3197868)(Important) Windows Server 2008 R2 for x64-based Systems Service Pack 1(3197868)(Important) Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1(3197868)(Important) Windows Server 2008 R2 for Itanium-based Systems Service Pack 1Security Only Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3197867)(Important) Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3197867)(Important) Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3197867)(Important) Not applicable Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3197867)(Important) Windows Server 2008 R2 for Itanium-based Systems Service Pack 1Monthly Rollup Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3197868)(Important) Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3197868)(Important) Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3197868)(Important) Not applicable Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3197868)(Important) Windows 8.1 Bulletin Identifier                                                  MS16-134 MS16-135 MS16-137 MS16-138 MS16-139 Aggregate Severity Rating Important Important Important Important None Windows 8.1 for 32-bit SystemsSecurity Only Windows 8.1 for 32-bit Systems(3197873)(Important) Windows 8.1 for 32-bit Systems(3197873)(Important) Windows 8.1 for 32-bit Systems(3197873)(Important) Windows 8.1 for 32-bit Systems(3197873)(Important) Not applicable Windows 8.1 for 32-bit SystemsMonthly Roll Up Windows 8.1 for 32-bit Systems(3197874)(Important) Windows 8.1 for 32-bit Systems(3197874)(Important) Windows 8.1 for 32-bit Systems(3197874)(Important) Windows 8.1 for 32-bit Systems(3197874)(Important) Not applicable Windows 8.1 for x64-based SystemsSecurity Only Windows 8.1 for x64-based Systems(3197873)(Important) Windows 8.1 for x64-based Systems(3197873)(Important) Windows 8.1 for x64-based Systems(3197873)(Important) Windows 8.1 for x64-based Systems(3197873)(Important) Not applicable Windows 8.1 for x64-based SystemsMonthly Roll Up Windows 8.1 for x64-based Systems(3197874)(Important) Windows 8.1 for x64-based Systems(3197874)(Important) Windows 8.1 for x64-based Systems(3197874)(Important) Windows 8.1 for x64-based Systems(3197874)(Important) Not applicable Windows Server 2012 and Windows Server 2012 R2 Bulletin Identifier                                                  MS16-134 MS16-135 MS16-137 MS16-138 MS16-139 Aggregate Severity Rating Important Important Important Moderate None Windows Server 2012Security Only Windows Server 2012(3197876)(Important) Windows Server 2012(3197876)(Important) Windows Server 2012(3197876)(Important) Windows Server 2012(3197876)(Important) Not applicable Windows Server 2012Monthly Roll Up Windows Server 2012(3197877)(Important) Windows Server 2012(3197877)(Important) Windows Server 2012(3197877)(Important) Windows Server 2012(3197877)(Important) Not applicable Windows Server 2012 R2Security Only Windows Server 2012 R2(3197873)(Important) Windows Server 2012 R2(3197873)(Important) Windows Server 2012 R2(3197873)(Important) Windows Server 2012 R2(3197873)(Important) Not applicable Windows Server 2012 R2Monthly Roll Up Windows Server 2012 R2(3197874)(Important) Windows Server 2012 R2(3197874)(Important) Windows Server 2012 R2(3197874)(Important) Windows Server 2012 R2(3197874)(Important) Not applicable Windows RT 8.1 Bulletin Identifier                                                  MS16-134 MS16-135 MS16-137 MS16-138 MS16-139 Aggregate Severity Rating Important Important Important None None Windows RT 8.1Monthly Roll Up Windows RT 8.1(3197874)(Important) Windows RT 8.1(3197874)(Important) Windows RT 8.1(3197874)(Important) Not applicable Not applicable Windows 10 Bulletin Identifier                                                  MS16-134 MS16-135 MS16-137 MS16-138 MS16-139 Aggregate Severity Rating Important Important Important Important None Windows 10 for 32-bit Systems Windows 10 for 32-bit Systems(3198585)(Important) Windows 10 for 32-bit Systems(3198585)(Important) Windows 10 for 32-bit Systems(3198585)(Important) Windows 10 for 32-bit Systems(3198585)(Important) Not applicable Windows 10 for x64-based Systems Windows 10 for x64-based Systems(3198585)(Important) Windows 10 for x64-based Systems(3198585)(Important) Windows 10 for x64-based Systems(3198585)(Important) Windows 10 for x64-based Systems(3198585)(Important) Not applicable Windows 10 Version 1511 for 32-bit Systems Windows 10 Version 1511 for 32-bit Systems(3198586)(Important) Windows 10 Version 1511 for 32-bit Systems(3198586)(Important) Windows 10 Version 1511 for 32-bit Systems(3198586)(Important) Windows 10 Version 1511 for 32-bit Systems(3198586)(Important) Not applicable Windows 10 Version 1511 for x64-based Systems Windows 10 Version 1511 for x64-based Systems(3198586)(Important) Windows 10 Version 1511 for x64-based Systems(3198586)(Important) Windows 10 Version 1511 for x64-based Systems(3198586)(Important) Windows 10 Version 1511 for x64-based Systems(3198586)(Important) Not applicable Windows 10 Version 1607 for 32-bit Systems Windows 10 Version 1607 for 32-bit Systems(3200970)(Important) Windows 10 Version 1607 for 32-bit Systems(3200970)(Important) Windows 10 Version 1607 for 32-bit Systems(3200970)(Important) Windows 10 Version 1607 for 32-bit Systems(3200970)(Important) Not applicable Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1607 for x64-based Systems(3200970)(Important) Windows 10 Version 1607 for x64-based Systems(3200970)(Important) Windows 10 Version 1607 for x64-based Systems(3200970)(Important) Windows 10 Version 1607 for x64-based Systems(3200970)(Important) Not applicable Windows Server 2016 Bulletin Identifier                                                  MS16-134 MS16-135 MS16-137 MS16-138 MS16-139 Aggregate Severity Rating Important Important Important Important None Windows Server 2016 for x64-based Systems Windows Server 2016 for x64-based Systems(3200970)(Important) Windows Server 2016 for x64-based Systems(3200970)(Important) Windows Server 2016 for x64-based Systems(3200970)(Important) Windows Server 2016 for x64-based Systems(3200970)(Important) Not applicable Server Core installation option Bulletin Identifier                                                  MS16-134 MS16-135 MS16-137 MS16-138 MS16-139 Aggregate Severity Rating Important Important Important Important Important Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation) Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)(3181707)(Important) Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)(3198234)(Important) Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)(3190847)(Important) Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)(3196718)(Important) Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)(3181707)(Important) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)(3198234)(Important) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)(3190847)(Important) Not applicable Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)(3196718)(Important) Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)Security Only Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(3197867)(Important) Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(3197867)(Important) Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(3197867)(Important) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Monthly Rollup Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(3197868)(Important) Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(3197868)(Important) Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(3197868)(Important) Windows Server 2012(Server Core installation)Security Only Windows Server 2012 (Server Core installation)(3197876)(Important) Not applicable Windows Server 2012 (Server Core installation)(3197876)(Important) Windows Server 2012 (Server Core installation)(3197876)(Important) Not applicable Windows Server 2012(Server Core installation)Monthly Rollup Windows Server 2012 (Server Core installation)(3197877)(Important) Not applicable Windows Server 2012 (Server Core installation)(3197877)(Important) Windows Server 2012 (Server Core installation)(3197877)(Important) Not applicable Windows Server 2012 R2(Server Core installation)Security Only Windows Server 2012 R2 (Server Core installation)(3197873)(Important) Not applicable Windows Server 2012 R2 (Server Core installation)(3197873)(Important) Windows Server 2012 R2 (Server Core installation)(3197873)(Important) Not applicable Windows Server 2012 R2(Server Core installation)Monthly Rollup Windows Server 2012 R2 (Server Core installation)(3197874)(Important) Not applicable Windows Server 2012 R2 (Server Core installation)(3197874)(Important) Windows Server 2012 R2 (Server Core installation)(3197874)(Important) Not applicable Windows Server 2016 for x64-based Systems(Server Core installation) Windows Server 2016 for x64-based Systems (Server Core installation)(3200970)(Important) Windows Server 2016 for x64-based Systems (Server Core installation)(3200970)(Important) Windows Server 2016 for x64-based Systems (Server Core installation)(3200970)(Important) Windows Server 2016 for x64-based Systems (Server Core installation)(3200970)(Important) Not applicable Windows Vista Bulletin Identifier                                                  MS16-140 MS16-141 MS16-142 Aggregate Severity Rating None None Critical Windows Vista Service Pack 2 Not applicable Not applicable Internet Explorer 9 (3197655)(Critical) Windows Vista x64 Edition Service Pack 2 Not applicable Not applicable Internet Explorer 9 (3197655)(Critical) Windows Server 2008 Bulletin Identifier                                                  MS16-140 MS16-141 MS16-142 Aggregate Severity Rating None None Critical Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2(3193418) Not applicable Internet Explorer 9 (3197655)(Critical) Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2(3193418) Not applicable Internet Explorer 9 (3197655)(Critical) Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2(3193418) Not applicable Not applicable Windows 7 Bulletin Identifier                                                  MS16-140 MS16-141 MS16-142 Aggregate Severity Rating None None Critical Windows 7 for 32-bit Systems Service Pack 1Security Only Not applicable Not applicable Internet Explorer 11(3197867)(Critical) Windows 7 for 32-bit Systems Service Pack 1Monthly Roll Up Not applicable Not applicable Internet Explorer 11(3197868)(Critical) Windows 7 for x64-based Systems Service Pack 1Security Only Not applicable Not applicable Internet Explorer 11(3197867)(Critical) Windows 7 for x64-based Systems Service Pack 1Monthly Roll Up Not applicable Not applicable Internet Explorer 11(3197868)(Critical) Windows Server 2008 R2 Bulletin Identifier                                                  MS16-140 MS16-141 MS16-142 Aggregate Severity Rating None None Critical Windows Server 2008 R2 for x64-based Systems Service Pack 1Security Only Windows Server 2008 R2 for x64-based Systems Service Pack 1(3197867)(Important) Not applicable Internet Explorer 11(3197867)(Critical) Windows Server 2008 R2 for x64-based Systems Service Pack 1Monthly Roll Up Windows Server 2008 R2 for x64-based Systems Service Pack 1(3197868)(Important) Not applicable Internet Explorer 11(3197868)(Critical) Windows Server 2008 R2 for Itanium-based Systems Service Pack 1Security Only Not applicable Not applicable Not applicable Windows Server 2008 R2 for Itanium-based Systems Service Pack 1Monthly Rollup Not applicable Not applicable Not applicable Windows 8.1 Bulletin Identifier                                                  MS16-140 MS16-141 MS16-142 Aggregate Severity Rating Important Critical Critical Windows 8.1 for 32-bit SystemsSecurity Only Windows 8.1 for 32-bit Systems(3197873)(Important) Adobe Flash Player(3202790)(Critical) Internet Explorer 11(3197873)(Critical) Windows 8.1 for 32-bit SystemsMonthly Roll Up Windows 8.1 for 32-bit Systems(3197874)(Important) Adobe Flash Player(3202790)(Critical) Internet Explorer 11(3197874)(Critical) Windows 8.1 for x64-based SystemsSecurity Only Windows 8.1 for x64-based Systems(3197873)(Important) Adobe Flash Player(3202790)(Critical) Internet Explorer 11(3197873)(Critical) Windows 8.1 for x64-based SystemsMonthly Roll Up Windows 8.1 for x64-based Systems(3197874)(Important) Adobe Flash Player(3202790)(Critical) Internet Explorer 11(3197874)(Critical) Windows Server 2012 and Windows Server 2012 R2 Bulletin Identifier                                                  MS16-140 MS16-141 MS16-142 Aggregate Severity Rating Important Moderate Moderate Windows Server 2012Security Only Windows Server 2012(3197876)(Important) Adobe Flash Player(3202790)(Moderate) Internet Explorer 10(3197876)(Moderate) Windows Server 2012Monthly Roll Up Windows Server 2012(3197877)(Important) Adobe Flash Player(3202790)(Moderate) Internet Explorer 10(3197877)(Moderate) Windows Server 2012 R2Security Only Windows Server 2012 R2(3197873)(Important) Adobe Flash Player(3202790)(Moderate) Internet Explorer 11(3197873)(Moderate) Windows Server 2012 R2Monthly Roll Up Windows Server 2012 R2(3197874)(Important) Adobe Flash Player(3202790)(Moderate) Internet Explorer 11(3197874)(Moderate) Windows RT 8.1 Bulletin Identifier                                                  MS16-140 MS16-141 MS16-142 Aggregate Severity Rating Important Important None Windows RT 8.1Monthly Roll Up Windows RT 8.1(3197874)(Important) Adobe Flash Player(3202790)(Critical) Not applicable Windows 10 Bulletin Identifier                                                  MS16-140 MS16-141 MS16-142 Aggregate Severity Rating Important Critical Critical Windows 10 for 32-bit Systems Windows 10 for 32-bit Systems(3198585)(Important) Adobe Flash Player(3202790)(Critical) Internet Explorer 11(3198585)(Critical) Windows 10 for x64-based Systems Windows 10 for x64-based Systems(3198585)(Important) Adobe Flash Player(3202790)(Critical) Internet Explorer 11(3198585)(Critical) Windows 10 Version 1511 for 32-bit Systems Windows 10 Version 1511 for 32-bit Systems(3198586)(Important) Adobe Flash Player(3202790)(Critical) Internet Explorer 11(3198586)(Critical) Windows 10 Version 1511 for x64-based Systems Windows 10 Version 1511 for x64-based Systems(3198586)(Important) Adobe Flash Player(3202790)(Critical) Internet Explorer 11(3198586)(Critical) Windows 10 Version 1607 for 32-bit Systems Windows 10 Version 1607 for 32-bit Systems(3200970)(Important) Adobe Flash Player(3202790)(Critical) Internet Explorer 11(3200970)(Critical) Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1607 for x64-based Systems(3200970)(Important) Adobe Flash Player(3202790)(Critical) Internet Explorer 11(3200970)(Critical) Windows Server 2016 Bulletin Identifier                                                  MS16-140 MS16-141 MS16-142 Aggregate Severity Rating Important None None Windows Server 2016 for x64-based Systems Windows Server 2016 for x64-based Systems(3200970)(Important) Not applicable Not applicable Server Core installation option Bulletin Identifier                                                  MS16-140 MS16-141 MS16-142 Aggregate Severity Rating Important None None Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation) Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)(3190847)(Important) Not applicable Not applicable Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)(3190847)(Important) Not applicable Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)Security Only Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(3197867)(Important) Not applicable Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Monthly Rollup Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(3197868)(Important) Not applicable Not applicable Windows Server 2012(Server Core installation)Security Only Windows Server 2012 (Server Core installation)(3197876)(Important) Not applicable Not applicable Windows Server 2012(Server Core installation)Monthly Rollup Windows Server 2012 (Server Core installation)(3197877)(Important) Not applicable Not applicable Windows Server 2012 R2(Server Core installation)Security Only Windows Server 2012 R2 (Server Core installation)(3197873)(Important) Not applicable Not applicable Windows Server 2012 R2(Server Core installation)Monthly Rollup Windows Server 2012 R2 (Server Core installation)(3197874)(Important) Not applicable Not applicable Windows Server 2016 for x64-based Systems(Server Core installation) Windows Server 2016 for x64-based Systems (Server Core installation)(3200970)(Critical) Not applicable Not applicable

MS16-132 – Critical: Security Update for Microsoft Graphics Component (3199120) –...

The following software versions or editions are affected.
Versions or editions that are not listed are either past their support life cycle or are not affected.

To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.The following severity ratings assume the potential maximum impact of the vulnerability.

For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the November bulletin summary.[2]Windows 10 updates are cumulative.

The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates.

The update is available via the Windows Update Catalog.[3]Beginning with the October 2016 release, Microsoft is changing the update servicing model for Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2.

For more information, please see this Microsoft TechNet article.Note The vulnerability discussed in this bulletin affects Windows Server 2016 Technical Preview 5.

To be protected from the vulnerability, Microsoft recommends that customers running this operating system apply the current update, which is available from Windows Update. *The Updates Replaced column shows only the latest update in any chain of superseded updates.

For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).

MS16-139 – Important: Security Update for Windows Kernel (3199720) – Version:...

Security Update for Windows Kernel (3199720)Published: November 8, 2016 | Updated: December 13, 2016Version: 2.0This security update resolves a vulnerability in Microsoft Windows.

The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application to access sensitive information.

A locally authenticated attacker could attempt to exploit this vulnerability by running a specially crafted application.

An attacker can gain access to information not intended to be available to the user by using this method.This security update is rated Important for Microsoft Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 (and Server Core).

For more information, see the Affected Software and Vulnerability Severity Ratings section.The security update addresses the vulnerability by helping to ensure the kernel API correctly enforces access controls applied to this information.For more information about the vulnerability, see the Vulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 3199720.The following software versions or editions are affected.
Versions or editions that are not listed are either past their support life cycle or are not affected.

To determine the support life cycle for your software past version or edition, see Microsoft Support Lifecycle.The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability.

For information regarding the likelihood, within 30 days of this security bulletin’s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the November bulletin summary.[1]Beginning with the October 2016 release, Microsoft is changing the update servicing model for Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2.

For more information, please see this Microsoft TechNet article.*The Updates Replaced column shows only the latest update in any chain of superseded updates.

For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).Windows Kernel Elevation of Privilege Vulnerability - CVE-2016-7216An elevation of privilege vulnerability exists in the way that the Windows Kernel API enforces permissions.

An attacker who successfully exploited the vulnerability could gain access to information that is not intended for the user.To exploit the vulnerability a locally-authenticated attacker could run a specially crafted application.The security update addresses the vulnerability by helping to ensure that the Windows Kernel API properly enforces permissions.The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Windows Kernel Elevation of Privilege Vulnerability CVE-2016-7216 No No Mitigating FactorsMicrosoft has not identified any mitigating factors for this vulnerability.WorkaroundsMicrosoft has not identified any workarounds for this vulnerability.For Security Update Deployment information, see the Microsoft Knowledge Base article referenced here in the Executive Summary.Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure.
See Acknowledgments for more information.The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose.
In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.V1.0 (November 8, 2016): Bulletin published. V2.0 (December 13, 2016): Revised bulletin to announce the following updates have been rereleased with a detection change that addresses a supersedence issue that certain customers experienced when attempting to install the November Security Only updates. These are detection changes only.

There were no changes to the update files.

Customers who have already successfully installed any of these updates do not need to take any action.

For more information, see the Microsoft Knowledge Base article for the respective update. Page generated 2016-12-12 11:23-08:00.

MS16-130 – Critical: Security Update for Microsoft Windows (3199172) –...

The following software versions or editions are affected.
Versions or editions that are not listed are either past their support life cycle or are not affected.

To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability.

For information regarding the likelihood, within 30 days of this security bulletin’s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the November bulletin summary.[2]Windows 10 updates are cumulative.

The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates.

The updates are available via the Microsoft Update Catalog.[3]Beginning with the October 2016 release, Microsoft is changing the update servicing model for Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2.

For more information, please see this Microsoft TechNet article.*The Updates Replaced column shows only the latest update in any chain of superseded updates.

For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).Note A vulnerability discussed in this bulletin affects Windows Server 2016 Technical Preview 5.

To be protected from the vulnerability, Microsoft recommends that customers running this operating system apply the current update, which is available from Windows Update. 

MS16-133 – Important: Security Update for Microsoft Office (3199168) – Version:...

Microsoft Office Information Disclosure Vulnerability – CVE-2016-7233 An information disclosure vulnerability exists when Office or Word reads out of bound memory due to an uninitialized variable which could disclose the contents of memory.

An attacker who successfully exploited the vulnerability could view out of bounds memory. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software. The security update addresses the vulnerability by properly initializing the variable. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Microsoft Office Information Disclosure Vulnerability CVE-2016-7233 No No Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds Microsoft has not identified any workarounds for this vulnerability. Multiple Microsoft Office Memory Corruption Vulnerabilities Multiple remote code execution vulnerabilities exist in Microsoft Office software when the Office software fails to properly handle objects in memory.

An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user.
If the current user is logged on with administrative user rights, an attacker could take control of the affected system.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerabilities requires that a user open a specially crafted file with an affected version of Microsoft Office software.
In an email attack scenario an attacker could exploit the vulnerabilities by sending the specially crafted file to the user and convincing the user to open the file.
In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerabilities.

An attacker would have no way to force users to visit the website.
Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince them to open the specially crafted file. Note that the Preview Pane is not an attack vector for these vulnerabilities.

The security update addresses the vulnerabilities by correcting how Office handles objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Microsoft Office Memory Corruption Vulnerability CVE-2016-7213 No No Microsoft Office Memory Corruption Vulnerability CVE-2016-7228 No No Microsoft Office Memory Corruption Vulnerability CVE-2016-7229 No No Microsoft Office Memory Corruption Vulnerability CVE-2016-7230 No No Microsoft Office Memory Corruption Vulnerability CVE-2016-7231 No No Microsoft Office Memory Corruption Vulnerability CVE-2016-7232 No No Microsoft Office Memory Corruption Vulnerability CVE-2016-7234 No No Microsoft Office Memory Corruption Vulnerability CVE-2016-7235 No No Microsoft Office Memory Corruption Vulnerability CVE-2016-7236 No No Microsoft Office Memory Corruption Vulnerability CVE-2016-7245 No No Mitigating Factors Microsoft has not identified any mitigating factors for these vulnerabilities. Workarounds Microsoft has not identified any workarounds for these vulnerabilities. Microsoft Office Denial of Service Vulnerability – CVE-2016-7244 A denial of service vulnerability exists when a specially crafted file is opened in Microsoft Office.

An attacker who successfully exploited the vulnerability could cause Office to stop responding.  Note that the denial of service would not allow an attacker to execute code or to elevate their user rights. For an attack to be successful, this vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office.
In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and by convincing the user to open the file. The update addresses the vulnerability by correcting how Microsoft Office handles objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Microsoft Office Denial of Service Vulnerability CVE-2016-7244 No No Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds Microsoft has not identified any workarounds for this vulnerability.

MS16-138 – Important: Security Update for Microsoft Virtual Hard Disk Driver...

The following software versions or editions are affected.
Versions or editions that are not listed are either past their support life cycle or are not affected.

To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability.

For information regarding the likelihood, within 30 days of this security bulletin’s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the November bulletin summary.[2]Windows 10 updates are cumulative.

The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates.

The updates are available via the Microsoft Update Catalog.[3] Beginning with the October 2016 release, Microsoft is changing the update servicing model for Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2.

For more information, please see this Microsoft TechNet article.Note The vulnerabilities discussed in this bulletin affect Windows Server 2016 Technical Preview 5.

To be protected from the vulnerabilities, Microsoft recommends that customers running this operating system apply the current update, which is available from Windows Update.*The Updates Replaced column shows only the latest update in any chain of superseded updates.

For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).

MS16-131 – Critical: Security Update for Microsoft Video Control (3199151) –...

Security Update for Microsoft Video Control (3199151)Published: November 8, 2016 | Updated: December 13, 2016Version: 2.0This security update resolves a vulnerability in Microsoft Windows.

The vulnerability could allow remote code execution when Microsoft Video Control fails to properly handle objects in memory.

An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. However, an attacker must first convince a user to open either a specially crafted file or a program from either a webpage or an email message.This security update is rated Critical for Windows Vista, Windows 7, Windows 8.1, and Windows 10.

For more information, see the Affected Software section.The update addresses the vulnerability by correcting how Microsoft Video Control handles objects in memory.

For more information about the vulnerability, see the Vulnerability Information section.For more information about this update, see Microsoft Knowledge Base Article 3199151.The following software versions or editions are affected.
Versions or editions that are not listed are either past their support life cycle or are not affected.

To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability.

For information regarding the likelihood, within 30 days of this security bulletin’s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the November bulletin summary.[1]This update is only available via Windows Update.[2]Windows 10 updates are cumulative.

The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates.

The updates are available via the Microsoft Update Catalog.[3]Beginning with the October 2016 release, Microsoft is changing the update servicing model for Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2.

For more information, please see this Microsoft TechNet article.Note The vulnerabilities discussed in this bulletin affect Windows Server 2016 Technical Preview 5.

To be protected from the vulnerabilities, Microsoft recommends that customers running this operating system apply the current update, which is available from Windows Update.*The Updates Replaced column shows only the latest update in any chain of superseded updates.

For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).Microsoft Video Control Remote Code Execution Vulnerability – CVE-2016-7248A remote code execution vulnerability exists when Microsoft Video Control fails to properly handle objects in memory.

An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.
If the current user is logged on with administrative user rights, an attacker could take control of the affected system.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.To exploit the vulnerability, an attacker would have to convince a user to open either a specially crafted file or application from either a webpage or an email message.

The update addresses the vulnerability by correcting how Microsoft Video Control handles objects in memory.Note that where the severity is indicated as Critical in the Affected Software and Vulnerability Severity Ratings table, the Outlook Preview Pane is an attack vector for CVE-2016-7248.The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Microsoft Video Control Remote Code Execution Vulnerability CVE-2016-7248 No No Mitigating FactorsMicrosoft has not identified any mitigating factors for this vulnerability.WorkaroundsMicrosoft has not identified any workarounds for this vulnerability.For Security Update Deployment information, see the Microsoft Knowledge Base article referenced here in the Executive Summary.Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure.
See Acknowledgments for more information.The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose.
In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.V1.0 (November 8, 2016): Bulletin published. V2.0 (December 13, 2016): Revised bulletin to announce the following updates have been rereleased with a detection change that addresses a supersedence issue that certain customers experienced when attempting to install the November Security Only updates. These are detection changes only.

There were no changes to the update files.

Customers who have already successfully installed any of these updates do not need to take any action.

For more information, see the Microsoft Knowledge Base article for the respective update. Page generated 2016-12-12 11:14-08:00.

MS16-129 – Critical: Cumulative Security Update for Microsoft Edge (3199057) –...

Multiple Microsoft Browser Memory Corruption Vulnerabilities Multiple remote code execution vulnerabilities exist in the way that Microsoft browsers handles objects in memory.

The vulnerabilities could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerabilities through Microsoft browsers and then convince a user to view the website.

The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements.

These websites could contain specially crafted content that could exploit the vulnerabilities. The security update addresses the vulnerabilities by modifying how affected scripting engine handles objects in memory. The following table contains a link to the standard entry for the vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Microsoft Browser Memory Corruption Vulnerability CVE-2016-7195 No No Microsoft Browser Memory Corruption Vulnerability CVE-2016-7196 No No Microsoft Browser Memory Corruption Vulnerability CVE-2016-7198 No No Microsoft Browser Memory Corruption Vulnerability CVE-2016-7241 No No Mitigating Factors Microsoft has not identified any mitigating factors for these vulnerabilities. Workarounds Microsoft has not identified any workarounds for these vulnerabilities. Microsoft Browser Information Disclosure Vulnerability CVE-2016-7199 An information disclosure vulnerability exists when Microsoft browsers improperly handles objects in memory.

An attacker who successfully exploited this vulnerability could allow an attacker to obtain browser window state from a different domain. For an attack to be successful, an attacker must persuade a user to open a malicious website from a secure website.

The update addresses the vulnerability by changing how Microsoft browsers handle objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Microsoft Browser Information Disclosure Vulnerability CVE-2016-7199 Yes No Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds Microsoft has not identified any workarounds for this vulnerability. Microsoft Browser Information Disclosure Vulnerability CVE-2016-7239 An information disclosure vulnerability exists when the Microsoft browser XSS filter is abused to leak sensitive page information.

An attacker who successfully exploited the vulnerability could obtain sensitive information from certain web pages. To exploit the vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.

The update addresses the vulnerability by changing how the XSS filter handles RegEx. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Microsoft Browser Information Disclosure Vulnerability CVE-2016-7239 No No Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds Microsoft has not identified any workarounds for this vulnerability. Multiple Scripting Engine Memory Corruption Vulnerabilities A remote code execution vulnerability exists in the way affected Microsoft scripting engines render when handling objects in memory in Microsoft browsers.

The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through a Microsoft browser and then convince a user to view the website.

An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the Edge rendering engine.

The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements.

These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerabilities by modifying how the Chakra JavaScript scripting engine handles objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Scripting Engine Memory Corruption Vulnerability CVE-2016-7200 No No Scripting Engine Memory Corruption Vulnerability CVE-2016-7201 No No Scripting Engine Memory Corruption Vulnerability CVE-2016-7202 No No Scripting Engine Memory Corruption Vulnerability CVE-2016-7203 No No Scripting Engine Memory Corruption Vulnerability CVE-2016-7208 No No Scripting Engine Memory Corruption Vulnerability CVE-2016-7240 No No Scripting Engine Memory Corruption Vulnerability CVE-2016-7242 No No Scripting Engine Memory Corruption Vulnerability CVE-2016-7243 No No Mitigating Factors Microsoft has not identified any mitigating factors for these vulnerabilities. Workarounds Microsoft has not identified any workarounds for these vulnerabilities. Microsoft Edge Information Disclosure Vulnerability CVE-2016-7204 An information disclosure vulnerability exists when Microsoft Edge improperly handle objects in memory.

An attacker who successfully exploited this vulnerability could trick a user into allowing access to the user’s My Documents folder. For an attack to be successful, an attacker must persuade a user to open a malicious website.

The update addresses the vulnerability by changing how Microsoft Edge handles objects in memory. The following table contains a link to the standard entry for the vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Microsoft Edge Information Disclosure Vulnerability CVE-2016-7204 No No Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds Microsoft has not identified any workarounds for this vulnerability. Microsoft Edge Spoofing Vulnerability CVE-2016-7209 A spoofing vulnerability exists when Microsoft Edge does not properly parse HTTP content.

An attacker who successfully exploited this vulnerability could trick a user by redirecting the user to a specially crafted website.

The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. To exploit the vulnerability, the user must click a specially crafted URL.
In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it. In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website.

The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or Instant Messenger message, and then convince the user to interact with content on the website.

The update addresses the vulnerability by correcting how the Microsoft Edge parses HTTP responses. The following table contains a link to the standard entry for the vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Microsoft Edge Spoofing Vulnerability CVE-2016-7209 Yes No Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds Microsoft has not identified any workarounds for this vulnerability. Microsoft Browser Information Disclosure Vulnerability CVE-2016-7227 An information disclosure vulnerability exists when (Internet Explorer/Edge/Scripting Engine) does not properly handle objects in memory.

The vulnerability could allow an attacker to detect specific files on the user's computer.
In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-generated content could contain specially crafted content that could exploit the vulnerability.
In all cases, however, an attacker would have no way to force a user to view the attacker-controlled content.
Instead, an attacker would have to convince users to take action.

For example, an attacker could trick users into clicking a link that takes them to the attacker's site. An attacker who successfully exploited the vulnerability could potentially read data that was not intended to be disclosed. Note that the vulnerability would not allow an attacker to execute code or to elevate a user’s rights directly, but the vulnerability could be used to obtain information in an attempt to further compromise the affected system.

The update addresses the vulnerability by helping to restrict what information is returned to affected Microsoft browsers. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Microsoft Browser Information Disclosure Vulnerability CVE-2016-7227 No No Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds Microsoft has not identified any workarounds for this vulnerability.