11.5 C
London
Saturday, October 21, 2017
Home Tags 2016

Tag: 2016

Microsoft Internet Explorer Memory Corruption Vulnerabilities Remote code execution vulnerabilities exist when Internet Explorer improperly accesses objects in memory.

The vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user.
If the current user is logged on with administrative user rights, the attacker could take control of an affected system.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker could host a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer, and then convince a user to view the website.

The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerabilities.
In all cases, however, an attacker would have no way to force users to view the attacker-controlled content.
Instead, an attacker would have to convince users to take action, typically by an enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email.

The update addresses the vulnerabilities by modifying how Internet Explorer handles objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Internet Explorer Memory Corruption Vulnerability CVE-2016-0199 No No Internet Explorer Memory Corruption Vulnerability CVE-2016-0200 No No Internet Explorer Memory Corruption Vulnerability CVE-2016-3211 No No Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds Microsoft has not identified any workarounds for this vulnerability. FAQ I am running Internet Explorer on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2.

Does this mitigate these vulnerabilities?
 Yes.

By default, Internet Explorer on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration.

Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted web content on a server.

This is a mitigating factor for websites that you have not added to the Internet Explorer Trusted sites zone. Can EMET help mitigate attacks that attempt to exploit these vulnerabilities? Yes.

The Enhanced Mitigation Experience Toolkit (EMET) enables users to manage security mitigation technologies that help make it more difficult for attackers to exploit memory corruption vulnerabilities in a given piece of software.

EMET can help mitigate attacks that attempt to exploit these vulnerabilities in Internet Explorer on systems where EMET is installed and configured to work with Internet Explorer. For more information about EMET, see the Enhanced Mitigation Experience Toolkit. Multiple Scripting Engine Memory Corruption Vulnerabilities Multiple remote code execution vulnerabilities exist in the way that the JScript 9, JScript, and VBScript engines render when handling objects in memory in Internet Explorer.

The vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user.
If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerabilities could take control of an affected system.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer and then convince a user to view the website.

An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine.

The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements.

These websites could contain specially crafted content that could exploit the vulnerabilities.

The update addresses the vulnerabilities by modifying how the JScript 9, JScript, and VBScript scripting engines handle objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Scripting Engine Memory Corruption Vulnerability CVE-2016-3202 No No Scripting Engine Memory Corruption Vulnerability CVE-2016-3205 No No Scripting Engine Memory Corruption Vulnerability CVE-2016-3206 No No Scripting Engine Memory Corruption Vulnerability CVE-2016-3207 No No Scripting Engine Memory Corruption Vulnerability CVE-2016-3210 No No Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds The following workaround may be helpful in your situation: Restrict access to VBScript.dll and JScript.dll For 32-bit systems, enter the following command at an administrative command prompt: takeown /f %windir%\system32\vbscript.dll cacls %windir%\system32\vbscript.dll /E /P everyone:N cacls %windir%\system32\jscript.dll /E /P everyone:N For 64-bit systems, enter the following command at an administrative command prompt: takeown /f %windir%\syswow64\vbscript.dll cacls %windir%\syswow64\vbscript.dll /E /P everyone:N cacls %windir%\syswow64\jscript.dll /E /P everyone:N Impact of Workaround. Websites that use VBScript or JScript may not work properly. How to undo the workaround. For 32-bit systems, enter the following command at an administrative command prompt: cacls %windir%\system32\vbscript.dll /E /R everyone cacls %windir%\system32\jscript.dll /E /R everyone For 64-bit systems, enter the following command at an administrative command prompt: cacls %windir%\syswow64\vbscript.dll /E /R everyone cacls %windir%\syswow64\jscript.dll /E /R everyone Internet Explorer XSS Filter Vulnerability - CVE-2016-3212 A remote code execution vulnerability exists when the Internet Explorer XSS Filter does not properly validate JavaScript under specific conditions.

An attacker who exploited the vulnerability could run arbitrary code with medium-integrity level privileges (the permissions of the current user). In a web-based attack scenario, an attacker could host a website in an attempt to exploit this vulnerability.
In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force users to view the attacker-controlled content.
Instead, an attacker would have to convince users to take action.

For example, an attacker could trick users into clicking a link that takes the user to the attacker's site.

The update addresses the vulnerability by fixing how the Internet Explorer XSS Filter validates JavaScript. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Internet Explorer XSS Filter Vulnerability CVE-2016-3212 No No Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds Microsoft has not identified any workarounds for this vulnerability. WPAD Elevation of Privilege Vulnerability - CVE-2016-3213 An elevation of privilege vulnerability exists in Microsoft Windows when the Web Proxy Auto Discovery (WPAD) protocol falls back to a vulnerable proxy discovery process.

An attacker who successfully exploited this vulnerability could bypass security and gain elevated privileges on a targeted system. To exploit the vulnerability, an attacker could respond to NetBIOS name requests for WPAD.

The update addresses the vulnerability by correcting how Windows handles proxy discovery. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability Title CVE number Publicly disclosed Exploited WPAD Elevation of Privilege Vulnerability CVE-2016-3213 No No Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds The following workarounds may be helpful in your situation. Disable WINS/NetBT name resolution Open Network Connections. Click the Local Area Connection to be statically configured, and then from the File menu, click Properties. In the list of components, click Internet Protocol (TCP/IP), and then click Properties. Click Advanced, click the WINS tab, and then click Disable NetBIOS over TCP/IP. Optionally, you can select the Use NetBIOS setting on the DHCP server if you are using a DHCP server that can selectively enable and disable NetBIOS configuration through DHCP option types. Stop WPAD using a host file entry Open the host file located at following location as an administrator: %systemdrive%\Windows\System32\Drivers\etc\hosts Create the following entry for WPAD in the host file: wpad 255.255.255.255 Impact of workaround. Autoproxy discovery will not work, and for this reason, some applications, such as Internet Explorer, will not be able to load websites properly. How to undo the workaround.  Open the host file located at following location as an administrator: %systemdrive%\Windows\System32\Drivers\etc\hosts Remove the following entry for WPAD in the host file: wpad 255.255.255.255
The following tables list the bulletins in order of major software category and severity.Use these tables to learn about the security updates that you may need to install. You should review each software program or component listed to see whether any security updates pertain to your installation.
If a software program or component is listed, then the severity rating of the software update is also listed.Note You may have to install several security updates for a single vulnerability. Review the whole column for each bulletin identifier that is listed to verify the updates that you have to install, based on the programs or components that you have installed on your system. Windows Vista Bulletin Identifier MS16-063 MS16-068 MS16-069 MS16-071 MS16-072 MS16-073 MS16-074 MS16-075 Aggregate Severity Rating Critical None Critical None Important Important Important Important Windows Vista Service Pack 2 Internet Explorer 9(3160005)(Critical) Not applicable VBScript 5.7(3158364)(Critical) Not applicable Windows Vista Service Pack 2(3159398)(Important) Windows Vista Service Pack 2(3161664)(Important) Windows Vista Service Pack 2(3164033)(Important)Windows Vista Service Pack 2(3164035)(Important) Windows Vista Service Pack 2(3161561)(Important) Windows Vista x64 Edition Service Pack 2 Internet Explorer 9(3160005)(Critical) Not applicable VBScript 5.7(3158364)(Critical) Not applicable Windows Vista x64 Edition Service Pack 2(3159398)(Important) Windows Vista x64 Edition Service Pack 2(3161664)(Important) Windows Vista x64 Edition Service Pack 2(3164033)(Important)Windows Vista x64 Edition Service Pack 2(3164035)(Important) Windows Vista x64 Edition Service Pack 2(3161561)(Important) Windows Server 2008 Bulletin Identifier MS16-063 MS16-068 MS16-069 MS16-071 MS16-072 MS16-073 MS16-074 MS16-075 Aggregate Severity Rating Moderate None Moderate None Important Important Important Important Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 9(3160005)(Moderate) Not applicable VBScript 5.7(3158364)(Moderate) Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2(3159398)(Important) Windows Server 2008 for 32-bit Systems Service Pack 2(3161664)(Important) Windows Server 2008 for 32-bit Systems Service Pack 2(3164033)(Important)Windows Server 2008 for 32-bit Systems Service Pack 2(3164035)(Important) Windows Server 2008 for 32-bit Systems Service Pack 2(3161561)(Important) Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 9(3160005)(Moderate) Not applicable VBScript 5.7(3158364)(Moderate) Not applicable Windows Server 2008 for x64-based Systems Service Pack 2(3159398)(Important) Windows Server 2008 for x64-based Systems Service Pack 2(3161664)(Important) Windows Server 2008 for x64-based Systems Service Pack 2(3164033)(Important)Windows Server 2008 for x64-based Systems Service Pack 2(3164035)(Important) Windows Server 2008 for x64-based Systems Service Pack 2(3161561)(Important) Windows Server 2008 for Itanium-based Systems Service Pack 2 Not applicable Not applicable VBScript 5.7(3158364)(Moderate) Not applicable Windows Server 2008 for Itanium-based Systems Service Pack 2(3159398)(Important) Windows Server 2008 for Itanium-based Systems Service Pack 2(3161664)(Important) Windows Server 2008 for Itanium-based Systems Service Pack 2(3164033)(Important)Windows Server 2008 for Itanium-based Systems Service Pack 2(3164035)(Important) Windows Server 2008 for Itanium-based Systems Service Pack 2(3161561)(Important) Windows 7 Bulletin Identifier MS16-063 MS16-068 MS16-069 MS16-071 MS16-072 MS16-073 MS16-074 MS16-075 Aggregate Severity Rating Critical None None None Important Important Important Important Windows 7 for 32-bit Systems Service Pack 1 Internet Explorer 11(3160005)(Critical) Not applicable Not applicable Not applicable Windows 7 for 32-bit Systems Service Pack 1(3159398)(Important) Windows 7 for 32-bit Systems Service Pack 1(3161664)(Important) Windows 7 for 32-bit Systems Service Pack 1(3164033)(Important)Windows 7 for 32-bit Systems Service Pack 1(3164035)(Important) Windows 7 for 32-bit Systems Service Pack 1(3161561)(Important) Windows 7 for x64-based Systems Service Pack 1 Internet Explorer 11(3160005)(Critical) Not applicable Not applicable Not applicable Windows 7 for x64-based Systems Service Pack 1(3159398)(Important) Windows 7 for x64-based Systems Service Pack 1(3161664)(Important) Windows 7 for x64-based Systems Service Pack 1(3164033)(Important)Windows 7 for x64-based Systems Service Pack 1(3164035)(Important) Windows 7 for x64-based Systems Service Pack 1(3161561)(Important) Windows Server 2008 R2 Bulletin Identifier MS16-063 MS16-068 MS16-069 MS16-071 MS16-072 MS16-073 MS16-074 MS16-075 Aggregate Severity Rating Moderate None None None Important Important Important Important Windows Server 2008 R2 for x64-based Systems Service Pack 1 Internet Explorer 11(3160005)(Moderate) Not applicable Not applicable Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1(3159398)(Important) Windows Server 2008 R2 for x64-based Systems Service Pack 1(3161664)(Important) Windows Server 2008 R2 for x64-based Systems Service Pack 1(3164033)(Important)Windows Server 2008 R2 for x64-based Systems Service Pack 1(3164035)(Important) Windows Server 2008 R2 for x64-based Systems Service Pack 1(3161561)(Important) Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Not applicable Not applicable Not applicable Not applicable Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3159398)(Important) Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3161664)(Important) Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3164033)(Important)Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3164035)(Important) Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3161561)(Important) Windows 8.1 Bulletin Identifier MS16-063 MS16-068 MS16-069 MS16-071 MS16-072 MS16-073 MS16-074 MS16-075 Aggregate Severity Rating Critical None None None Important Important Important Important Windows 8.1 for 32-bit Systems Internet Explorer 11(3160005)(Critical) Not applicable Not applicable Not applicable Windows 8.1 for 32-bit Systems(3159398)(Important) Windows 8.1 for 32-bit Systems(3161664)(Important) Windows 8.1 for 32-bit Systems(3164033)(Important)Windows 8.1 for 32-bit Systems(3164035)(Important) Windows 8.1 for 32-bit Systems(3161561)(Important) Windows 8.1 for x64-based Systems Internet Explorer 11(3160005)(Critical) Not applicable Not applicable Not applicable Windows 8.1 for x64-based Systems(3159398)(Important) Windows 8.1 for x64-based Systems(3161664)(Important) Windows 8.1 for x64-based Systems(3164033)(Important)Windows 8.1 for x64-based Systems(3164035)(Important) Windows 8.1 for x64-based Systems(3161561)(Important) Windows Server 2012 and Windows Server 2012 R2 Bulletin Identifier MS16-063 MS16-068 MS16-069 MS16-071 MS16-072 MS16-073 MS16-074 MS16-075 Aggregate Severity Rating Moderate None None Critical Important Important Important Important Windows Server 2012 Internet Explorer 10(3160005)(Moderate) Not applicable Not applicable Windows Server 2012(3161951)(Critical) Windows Server 2012(3159398)(Important) Windows Server 2012(3161664)(Important)Windows Server 2012(3164294)(Important) Windows Server 2012(3164033)(Important)Windows Server 2012(3164035)(Important) Windows Server 2012(3161561)(Important) Windows Server 2012 R2 Internet Explorer 11(3160005)(Moderate) Not applicable Not applicable Windows Server 2012 R2(3161951)(Critical) Windows Server 2012 R2(3159398)(Important) Windows Server 2012 R2(3161664)(Important)Windows Server 2012 R2(3164294)(Important) Windows Server 2012 R2(3164033)(Important)Windows Server 2012 R2(3164035)(Important) Windows Server 2012 R2(3161561)(Important) Windows RT 8.1 Bulletin Identifier MS16-063 MS16-068 MS16-069 MS16-071 MS16-072 MS16-073 MS16-074 MS16-075 Aggregate Severity Rating Critical None None None Important Important Important Important Windows RT 8.1 Internet Explorer 11(3160005)(Critical) Not applicable Not applicable Not applicable Windows RT 8.1(3159398)(Important) Windows RT 8.1(3161664)(Important) Windows RT 8.1(3164033)(Important)Windows RT 8.1(3164035)(Important) Windows RT 8.1(3161561)(Important) Windows 10 Bulletin Identifier MS16-063 MS16-068 MS16-069 MS16-071 MS16-072 MS16-073 MS16-074 MS16-075 Aggregate Severity Rating Critical Critical None None Important Important Important Important Windows 10 for 32-bit Systems Internet Explorer 11(3163017)(Critical) Microsoft Edge(3163017)(Critical) Not applicable Not applicable Windows 10 for 32-bit Systems(3163017)(Important) Windows 10 for 32-bit Systems(3163017)(Important) Windows 10 for 32-bit Systems(3163017)(Important) Windows 10 for 32-bit Systems(3163017)(Important) Windows 10 for x64-based Systems Internet Explorer 11(3163017)(Critical) Microsoft Edge(3163017)(Critical) Not applicable Not applicable Windows 10 for x64-based Systems(3163017)(Important) Windows 10 for x64-based Systems(3163017)(Important) Windows 10 for x64-based Systems(3163017)(Important) Windows 10 for x64-based Systems(3163017)(Important) Windows 10 Version 1511 for 32-bit Systems Internet Explorer 11(3163018)(Critical) Microsoft Edge(3163018)(Critical) Not applicable Not applicable Windows 10 Version 1511 for 32-bit Systems(3163018)(Important) Windows 10 Version 1511 for 32-bit Systems(3163018)(Important) Windows 10 Version 1511 for 32-bit Systems(3163018)(Important) Windows 10 Version 1511 for 32-bit Systems(3163018)(Important) Windows 10 Version 1511 for x64-based Systems Internet Explorer 11(3163018)(Critical) Microsoft Edge(3163018)(Critical) Not applicable Not applicable Windows 10 Version 1511 for x64-based Systems(3163018)(Important) Windows 10 Version 1511 for x64-based Systems(3163018)(Important) Windows 10 Version 1511 for x64-based Systems(3163018)(Important) Windows 10 Version 1511 for x64-based Systems(3163018)(Important) Server Core installation option Bulletin Identifier MS16-063 MS16-068 MS16-069 MS16-071 MS16-072 MS16-073 MS16-074 MS16-075 Aggregate Severity Rating None None Moderate Critical Important Important Important Important Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation) Not applicable Not applicable VBScript 5.7(3158364)(Moderate) Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)(3159398)(Important) Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)(3161664)(Important) Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)(3164033)(Important)Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)(3164035)(Important) Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)(3161561)(Important) Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation) Not applicable Not applicable VBScript 5.7(3158364)(Moderate) Not applicable Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)(3159398)(Important) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)(3161664)(Important) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)(3164033)(Important)Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)(3164035)(Important) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)(3161561)(Important) Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation) Not applicable Not applicable JScript 5.8 and VBScript 5.8(3158363)(Moderate) Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(3159398)(Important) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(3161664)(Important) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(3164033)(Important)Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(3164035)(Important) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(3161561)(Important) Windows Server 2012(Server Core installation) Not applicable Not applicable Not applicable Windows Server 2012 (Server Core installation)(3161951)(Critical) Windows Server 2012 (Server Core installation)(3159398)(Important) Windows Server 2012 (Server Core installation)(3161664)(Important)Windows Server 2012 (Server Core installation)(3164294)(Important) Windows Server 2012 (Server Core installation)(3164033)(Important)Windows Server 2012 (Server Core installation)(3164035)(Important) Windows Server 2012 (Server Core installation)(3161561)(Important) Windows Server 2012 R2(Server Core installation) Not applicable Not applicable Not applicable Windows Server 2012 R2 (Server Core installation)(3161951)(Critical) Windows Server 2012 R2 (Server Core installation)(3159398)(Important) Windows Server 2012 R2 (Server Core installation)(3161664)(Important)Windows Server 2012 R2 (Server Core installation)(3164294)(Important) Windows Server 2012 R2 (Server Core installation)(3164033)(Important)Windows Server 2012 R2 (Server Core installation)(3164035)(Important) Windows Server 2012 R2 (Server Core installation)(3161561)(Important) Windows Vista Bulletin Identifier MS16-076 MS16-077 MS16-078 MS16-080 MS16-081 MS16-082 MS16-083 Aggregate Severity Rating None Important None None None None None Windows Vista Service Pack 2 Not applicable Windows Vista Service Pack 2(3161949)(Important) Not applicable Not applicable Not applicable Not applicable Not applicable Windows Vista x64 Edition Service Pack 2 Not applicable Windows Vista x64 Edition Service Pack 2(3161949)(Important) Not applicable Not applicable Not applicable Not applicable Not applicable Windows Server 2008 Bulletin Identifier MS16-076 MS16-077 MS16-078 MS16-080 MS16-081 MS16-082 MS16-083 Aggregate Severity Rating Important Important None None None None None Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2(3161561)(Important) Windows Server 2008 for 32-bit Systems Service Pack 2(3161949)(Important) Not applicable Not applicable Not applicable Not applicable Not applicable Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2(3161561)(Important) Windows Server 2008 for x64-based Systems Service Pack 2(3161949)(Important) Not applicable Not applicable Not applicable Not applicable Not applicable Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2(3161561)(Important) Windows Server 2008 for Itanium-based Systems Service Pack 2(3161949)(Important) Not applicable Not applicable Not applicable Not applicable Not applicable Windows 7 Bulletin Identifier MS16-076 MS16-077 MS16-078 MS16-080 MS16-081 MS16-082 MS16-083 Aggregate Severity Rating None Important None None None Important None Windows 7 for 32-bit Systems Service Pack 1 Not applicable Windows 7 for 32-bit Systems Service Pack 1(3161949)(Important) Not applicable Not applicable Not applicable Windows 7 for 32-bit Systems Service Pack 1(3161958)(Important) Not applicable Windows 7 for x64-based Systems Service Pack 1 Not applicable Windows 7 for x64-based Systems Service Pack 1(3161949)(Important) Not applicable Not applicable Not applicable Windows 7 for x64-based Systems Service Pack 1(3161958)(Important) Not applicable Windows Server 2008 R2 Bulletin Identifier MS16-076 MS16-077 MS16-078 MS16-080 MS16-081 MS16-082 MS16-083 Aggregate Severity Rating Important Important None None Important Important None Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1(3161561)(Important) Windows Server 2008 R2 for x64-based Systems Service Pack 1(3161949)(Important) Not applicable Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1(3160352)(Important) Windows Server 2008 R2 for x64-based Systems Service Pack 1(3161958)(Important) Not applicable Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3161561)(Important) Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3161949)(Important) Not applicable Not applicable Not applicable Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3161958)(Important) Not applicable Windows 8.1 Bulletin Identifier MS16-076 MS16-077 MS16-078 MS16-080 MS16-081 MS16-082 MS16-083 Aggregate Severity Rating None Important None Important None Important Critical Windows 8.1 for 32-bit Systems Not applicable Windows 8.1 for 32-bit Systems(3161949)(Important) Not applicable Windows 8.1 for 32-bit Systems(3157569)(Important) Not applicable Windows 8.1 for 32-bit Systems(3161958)(Important) Adobe Flash Player(3167685)(Critical) Windows 8.1 for x64-based Systems Not applicable Windows 8.1 for x64-based Systems(3161949)(Important) Not applicable Windows 8.1 for x64-based Systems(3157569)(Important) Not applicable Windows 8.1 for x64-based Systems(3161958)(Important) Adobe Flash Player(3167685)(Critical) Windows Server 2012 and Windows Server 2012 R2 Bulletin Identifier MS16-076 MS16-077 MS16-078 MS16-080 MS16-081 MS16-082 MS16-083 Aggregate Severity Rating Important Important None Important Important Important Moderate Windows Server 2012 Windows Server 2012(3161561)(Important) Windows Server 2012(3161949)(Important) Not applicable Windows Server 2012(3157569)(Important) Windows Server 2012(3160352)(Important) Windows Server 2012(3161958)(Important) Adobe Flash Player(3167685)(Moderate) Windows Server 2012 R2 Windows Server 2012 R2(3162343)(Important) Windows Server 2012 R2(3161949)(Important) Not applicable Windows Server 2012 R2(3157569)(Important) Windows Server 2012 R2(3160352)(Important) Windows Server 2012 R2(3161958)(Important) Adobe Flash Player(3167685)(Moderate) Windows RT 8.1 Bulletin Identifier MS16-076 MS16-077 MS16-078 MS16-080 MS16-081 MS16-082 MS16-083 Aggregate Severity Rating None Important None None None Important Critical Windows RT 8.1 Not applicable Windows RT 8.1(3161949)(Important) Not applicable Not applicable Not applicable Windows RT 8.1(3161958)(Important) Adobe Flash Player(3167685)(Critical) Windows 10 Bulletin Identifier MS16-076 MS16-077 MS16-078 MS16-080 MS16-081 MS16-082 MS16-083 Aggregate Severity Rating None Important Important Important None Important Critical Windows 10 for 32-bit Systems Not applicable Windows 10 for 32-bit Systems(3163017)(Important) Windows 10 for 32-bit Systems(3163017)(Important) Windows 10 for 32-bit Systems(3163017)(Important) Not applicable Windows 10 for 32-bit Systems(3163017)(Important) Adobe Flash Player(3167685)(Critical) Windows 10 for x64-based Systems Not applicable Windows 10 for x64-based Systems(3163017)(Important) Windows 10 for x64-based Systems(3163017)(Important) Windows 10 for x64-based Systems(3163017)(Important) Not applicable Windows 10 for x64-based Systems(3163017)(Important) Adobe Flash Player(3167685)(Critical) Windows 10 Version 1511 for 32-bit Systems Not applicable Windows 10 Version 1511 for 32-bit Systems(3163018)(Important) Windows 10 Version 1511 for 32-bit Systems(3163018)(Important) Windows 10 Version 1511 for 32-bit Systems(3163018)(Important) Not applicable Windows 10 Version 1511 for 32-bit Systems(3163018)(Important) Adobe Flash Player(3167685)(Critical) Windows 10 Version 1511 for x64-based Systems Not applicable Windows 10 Version 1511 for x64-based Systems(3163018)(Important) Windows 10 Version 1511 for x64-based Systems(3163018)(Important) Windows 10 Version 1511 for x64-based Systems(3163018)(Important) Not applicable Windows 10 Version 1511 for x64-based Systems(3163018)(Important) Adobe Flash Player(3167685)(Critical) Server Core installation option Bulletin Identifier MS16-076 MS16-077 MS16-078 MS16-080 MS16-081 MS16-082 MS16-083 Aggregate Severity Rating Important Important None None Important Important None Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation) Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation)(3161949)(Important) Not applicable Not applicable Not applicable Not applicable Not applicable Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation) Not applicable Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation)(3161949)(Important) Not applicable Not applicable Not applicable Not applicable Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation) Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)(3161949)(Important) Not applicable Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)(3160352)(Important) Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)(3161958)(Important) Not applicable Windows Server 2012(Server Core installation) Windows Server 2012(Server Core installation)(3161561)(Important) Windows Server 2012(Server Core installation)(3161949)(Important) Not applicable Not applicable Windows Server 2012(Server Core installation)(3160352)(Important) Windows Server 2012(Server Core installation)(3161958)(Important) Not applicable Windows Server 2012 R2(Server Core installation) Windows Server 2012 R2(Server Core installation)(3162343)(Important) Windows Server 2012 R2(Server Core installation)(3161949)(Important) Not applicable Not applicable Windows Server 2012 R2(Server Core installation)(3160352)(Important) Windows Server 2012 R2(Server Core installation)(3161958)(Important) Not applicable Microsoft Office 2007 Bulletin Identifier MS16-070 Aggregate Severity Rating Critical Microsoft Office 2007 Service Pack 3 Microsoft Excel 2007 Service Pack 3(3115107)(Important)Microsoft Visio 2007 Service Pack 3(3114740)(Important)Microsoft Word 2007 Service Pack 3(3115195)(Critical) Microsoft Office 2010 Bulletin Identifier MS16-070 Aggregate Severity Rating Critical Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Office 2010 Service Pack 2 (32-bit editions)(3115198)(Critical)Microsoft Excel 2010 Service Pack 2 (32-bit editions)(3115130)(Important)Microsoft Visio 2010 Service Pack 2 (32-bit editions)(3114872)(Important)Microsoft Word 2010 Service Pack 2 (32-bit editions)(3115243)(Critical) Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Office 2010 Service Pack 2 (64-bit editions)(3115198)(Critical)Microsoft Excel 2010 Service Pack 2 (64-bit editions)(3115130)(Important)Microsoft Visio 2010 Service Pack 2 (64-bit editions)(3114872)(Important)Microsoft Word 2010 Service Pack 2 (64-bit editions)(3115243)(Critical) Microsoft Office 2013 Bulletin Identifier MS16-070 Aggregate Severity Rating Critical Microsoft Office 2013 Service Pack 1 (32-bit editions) Microsoft Visio 2013 Service Pack 1 (32-bit editions)(3115020)(Important)Microsoft Word 2013 Service Pack 1 (32-bit editions)(3115173)(Critical) Microsoft Office 2013 Service Pack 1 (64-bit editions) Microsoft Visio 2013 Service Pack 1 (64-bit editions)(3115020)(Important)Microsoft Word 2013 Service Pack 1 (64-bit editions)(3115173)(Critical) Microsoft Office 2013 RT Bulletin Identifier MS16-070 Aggregate Severity Rating Critical Microsoft Office 2013 RT Service Pack 1 Microsoft Word 2013 RT Service Pack 1(3115173)(Critical) Microsoft Office 2016 Bulletin Identifier MS16-070 Aggregate Severity Rating Critical Microsoft Office 2016 (32-bit edition) Microsoft Office 2016 (32-bit edition)(3115144)(Important)Microsoft Visio 2016 (32-bit edition)(3115041)(Important)Microsoft Word 2016 (32-bit edition)(3115182)(Critical) Microsoft Office 2016 (64-bit edition) Microsoft Office 2016 (64-bit edition)(3115144)(Important)Microsoft Visio 2016 (64-bit edition)(3115041)(Important)Microsoft Word 2016 (64-bit edition)(3115182)(Critical) Microsoft Office for Mac 2011 Bulletin Identifier MS16-070 Aggregate Severity Rating Critical Microsoft Office for Mac 2011 Microsoft Word for Mac 2011(3165796)(Critical) Microsoft Office 2016 for Mac Bulletin Identifier MS16-070 Aggregate Severity Rating Critical Microsoft Office 2016 for Mac Microsoft Word 2016 for Mac(3165798)(Critical) Other Office Software Bulletin Identifier MS16-070 Aggregate Severity Rating Important Microsoft Office Compatibility Pack Service Pack 3 Microsoft Office Compatibility Pack Service Pack 3(3115111)(Important)Microsoft Office Compatibility Pack Service Pack 3(3115194)(Important) Microsoft Visio Viewer 2007 Service Pack 3 Microsoft Visio Viewer 2007 Service Pack 3(2596915)(Important) Microsoft Visio Viewer 2010 (32-bit Edition) Microsoft Visio Viewer 2010 (32-bit Edition)(2999465)(Important) Microsoft Visio Viewer 2010 (64-bit Edition) Microsoft Visio Viewer 2010 (64-bit Edition)(2999465)(Important) Microsoft Word Viewer Microsoft Word Viewer(3115187)(Important) This bulletin spans more than one software category.
See other tables in this section for additional affected software.This bulletin spans more than one software category.
See other tables in this section for additional affected software.
The following tables list the bulletins in order of major software category and severity.Use these tables to learn about the security updates that you may need to install. You should review each software program or component listed to see whether any security updates pertain to your installation.
If a software program or component is listed, then the severity rating of the software update is also listed.Note You may have to install several security updates for a single vulnerability. Review the whole column for each bulletin identifier that is listed to verify the updates that you have to install, based on the programs or components that you have installed on your system. Windows Vista Bulletin Identifier                                                  MS15-106 MS15-107 MS15-108 MS15-109 MS15-111 Aggregate Severity Rating Critical None Critical Critical Important Windows Vista Service Pack 2 Internet Explorer 7                               (3093983)(Critical)Internet Explorer 8(3093983)(Critical)Internet Explorer 9(3093983)(Critical) Not applicable                                           JScript 5.7 and VBScript 5.7(3094996)(Critical)                                                Windows Vista Service Pack 2(3080446)(Critical)Windows Vista Service Pack 2(3093513)(Critical) Windows Vista Service Pack 2(3088195)(Important) Windows Vista x64 Edition Service Pack 2 Internet Explorer 7(3093983)(Critical)Internet Explorer 8(3093983)(Critical)Internet Explorer 9(3093983)(Critical) Not applicable JScript 5.7 and VBScript 5.7(3094996)(Critical) Windows Vista x64 Edition Service Pack 2(3080446)(Critical)Windows Vista x64 Edition Service Pack 2(3093513)(Critical) Windows Vista x64 Edition Service Pack 2(3088195)(Important) Windows Server 2008 Bulletin Identifier MS15-106 MS15-107 MS15-108 MS15-109 MS15-111 Aggregate Severity Rating Moderate None Critical Critical Important Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 7(3093983)(Moderate)Internet Explorer 8(3093983)(Moderate)Internet Explorer 9(3093983)(Moderate) Not applicable JScript 5.7 and VBScript 5.7(3094996)(Critical) Windows Server 2008 for 32-bit Systems Service Pack 2(3080446)(Critical) Windows Server 2008 for 32-bit Systems Service Pack 2(3088195)(Important) Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 7(3093983)(Moderate)Internet Explorer 8(3093983)(Moderate)Internet Explorer 9(3093983)(Moderate) Not applicable JScript 5.7 and VBScript 5.7(3094996)(Critical) Windows Server 2008 for x64-based Systems Service Pack 2(3080446)(Critical) Windows Server 2008 for x64-based Systems Service Pack 2(3088195)(Important) Windows Server 2008 for Itanium-based Systems Service Pack 2 Internet Explorer 7(3093983)(Moderate) Not applicable JScript 5.7 and VBScript 5.7(3094996)(Critical) Windows Server 2008 for Itanium-based Systems Service Pack 2(3080446)(Critical) Windows Server 2008 for Itanium-based Systems Service Pack 2(3088195)(Important) Windows 7 Bulletin Identifier MS15-106 MS15-107 MS15-108 MS15-109 MS15-111 Aggregate Severity Rating Critical None None Critical Important Windows 7 for 32-bit Systems Service Pack 1 Internet Explorer 8(3093983)(Critical)Internet Explorer 9(3093983)(Critical)Internet Explorer 10(3093983)(Critical)Internet Explorer 11(3093983)(Critical) Not applicable Not applicable Windows 7 for 32-bit Systems Service Pack 1(3080446)(Critical)Windows 7 for 32-bit Systems Service Pack 1(3093513)(Critical) Windows 7 for 32-bit Systems Service Pack 1(3088195)(Important) Windows 7 for x64-based Systems Service Pack 1 Internet Explorer 8(3093983)(Critical)Internet Explorer 9(3093983)(Critical)Internet Explorer 10(3093983)(Critical)Internet Explorer 11(3093983)(Critical) Not applicable Not applicable Windows 7 for x64-based Systems Service Pack 1(3080446)(Critical)Windows 7 for x64-based Systems Service Pack 1(3093513)(Critical) Windows 7 for x64-based Systems Service Pack 1(3088195)(Important) Windows Server 2008 R2 Bulletin Identifier MS15-106 MS15-107 MS15-108 MS15-109 MS15-111 Aggregate Severity Rating Moderate None None Critical Important Windows Server 2008 R2 for x64-based Systems Service Pack 1 Internet Explorer 8(3093983)(Moderate)Internet Explorer 9(3093983)(Moderate)Internet Explorer 10(3093983)(Moderate)Internet Explorer 11(3093983)(Moderate) Not applicable Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1(3080446)(Critical) Windows Server 2008 R2 for x64-based Systems Service Pack 1(3088195)(Important) Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Internet Explorer 8(3093983)(Moderate) Not applicable Not applicable Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3080446)(Critical) Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3088195)(Important) Windows 8 and Windows 8.1 Bulletin Identifier MS15-106 MS15-107 MS15-108 MS15-109 MS15-111 Aggregate Severity Rating Critical None None Critical Important Windows 8 for 32-bit Systems Internet Explorer 10(3093983)(Critical) Not applicable Not applicable Windows 8 for 32-bit Systems(3080446)(Critical) Windows 8 for 32-bit Systems(3088195)(Important) Windows 8 for x64-based Systems Internet Explorer 10(3093983)(Critical) Not applicable Not applicable Windows 8 for x64-based Systems(3080446)(Critical) Windows 8 for x64-based Systems(3088195)(Important) Windows 8.1 for 32-bit Systems Internet Explorer 11(3093983)(Critical) Not applicable Not applicable Windows 8.1 for 32-bit Systems(3080446)(Critical) Windows 8.1 for 32-bit Systems(3088195)(Important) Windows 8.1 for x64-based Systems Internet Explorer 11(3093983)(Critical) Not applicable Not applicable Windows 8.1 for x64-based Systems(3080446)(Critical) Windows 8.1 for x64-based Systems(3088195)(Important) Windows Server 2012 and Windows Server 2012 R2 Bulletin Identifier MS15-106 MS15-107 MS15-108 MS15-109 MS15-111 Aggregate Severity Rating Moderate None None Critical Important Windows Server 2012 Internet Explorer 10(3093983)(Moderate) Not applicable Not applicable Windows Server 2012(3080446)(Critical) Windows Server 2012(3088195)(Important) Windows Server 2012 R2 Internet Explorer 11(3093983)(Moderate) Not applicable Not applicable Windows Server 2012 R2(3080446)(Critical) Windows Server 2012 R2(3088195)(Important) Windows RT and Windows RT 8.1 Bulletin Identifier MS15-106 MS15-107 MS15-108 MS15-109 MS15-111 Aggregate Severity Rating Critical None None Critical Important Windows RT Internet Explorer 10(3093983)(Critical) Not applicable Not applicable Windows RT(3080446)(Critical) Windows RT(3088195)(Important) Windows RT 8.1 Internet Explorer 11(3093983)(Critical) Not applicable Not applicable Windows RT 8.1(3080446)(Critical) Windows RT 8.1(3088195)(Important) Windows 10 Bulletin Identifier MS15-106 MS15-107 MS15-108 MS15-109 MS15-111 Aggregate Severity Rating Critical Important None Critical Important Windows 10 for 32-bit Systems Internet Explorer 11(3105210)(Critical) Microsoft Edge(3097617)(Important) Not applicable Windows 10 for 32-bit Systems(3097617)(Critical) Windows 10 for 32-bit Systems(3097617)(Important) Windows 10 for x64-based Systems Internet Explorer 11(3105210)(Critical) Microsoft Edge(3097617)(Important) Not applicable Windows 10 for x64-based Systems(3097617)(Critical) Windows 10 for x64-based Systems(3097617)(Important) Server Core installation option Bulletin Identifier MS15-106 MS15-107 MS15-108 MS15-109 MS15-111 Aggregate Severity Rating None None Critical Critical Important Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation) Not applicable Not applicable JScript 5.7 and VBScript 5.7(3094996)(Critical) Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation)(3080446)(Critical) Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation)(3088195)(Important) Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation) Not applicable Not applicable JScript 5.7 and VBScript 5.7(3094996)(Critical) Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation)(3080446)(Critical) Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation)(3088195)(Important) Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation) Not applicable Not applicable JScript 5.8 and VBScript 5.8(3094995)(Critical) Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)(3080446)(Critical) Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)(3088195)(Important) Windows Server 2012(Server Core installation) Not applicable Not applicable Not applicable Windows Server 2012(Server Core installation)(3080446)(Critical) Windows Server 2012(Server Core installation)(3088195)(Important) Windows Server 2012 R2(Server Core installation) Not applicable Not applicable Not applicable Windows Server 2012 R2(Server Core installation)(3080446)(Critical) Windows Server 2012 R2(Server Core installation)(3088195)(Important) Microsoft Office 2007 Bulletin Identifier                  MS15-110 Aggregate Severity Rating Important Microsoft Office 2007 Service Pack 3 Microsoft Excel 2007 Service Pack 3(3085615)(Important)Microsoft Visio 2007 Service Pack 3(3085542)(Important) Microsoft Office 2010 Bulletin Identifier MS15-110 Aggregate Severity Rating Important Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Excel 2010 Service Pack 2 (32-bit editions)(3085609)(Important)Microsoft Visio 2010 Service Pack 2 (32-bit editions)(3085514)(Important) Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Excel 2010 Service Pack 2 (64-bit editions)(3085609)(Important)Microsoft Visio 2010 Service Pack 2 (64-bit editions)(3085514)(Important) Microsoft Office 2013 Bulletin Identifier MS15-110 Aggregate Severity Rating Important Microsoft Office 2013 Service Pack 1 (32-bit editions) Microsoft Excel 2013 Service Pack 1 (32-bit editions)(3085583)(Important) Microsoft Office 2013 Service Pack 1 (64-bit editions) Microsoft Excel 2013 Service Pack 1 (64-bit editions)(3085583)(Important) Microsoft Office 2013 RT Bulletin Identifier MS15-110 Aggregate Severity Rating Important Microsoft Office 2013 RT Service Pack 1 Microsoft Excel 2013 RT Service Pack 1(3085583)(Important) Microsoft Office 2016 Bulletin Identifier MS15-110 Aggregate Severity Rating Important Microsoft Office 2016 (32-bit edition) Microsoft Excel 2016 (32-bit edition)(2920693)(Important) Microsoft Office 2016 (64-bit edition) Microsoft Excel 2016 (64-bit edition)(2920693)(Important) Microsoft Office for Mac Bulletin Identifier MS15-110 Aggregate Severity Rating Important Microsoft Office for Mac 2011 Microsoft Excel for Mac 2011(3097266)(Important) Microsoft Office 2016 for Mac Microsoft Excel 2016 for Mac(3097264)(Important) Other Office Software Bulletin Identifier MS15-110 Aggregate Severity Rating Important Microsoft Excel Viewer Microsoft Excel Viewer(3085619)(Important) Microsoft Office Compatibility Pack Service Pack 3 Microsoft Office Compatibility Pack Service Pack 3(3085618)(Important) This bulletin spans more than one software category.
See the other tables in this section for additional affected software. This bulletin spans more than one software category.
See the other tables in this section for additional affected software.This bulletin spans more than one software category.
See the other tables in this section for additional affected software.
Security Update for Adobe Flash Player (3167685)Published: June 16, 2016Version: 1.0This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.This security update is rated Critical.

The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

For more information, see the Affected Software section.For more information about this update, see Microsoft Knowledge Base Article 3167685.This security update addresses the following vulnerabilities, which are described in Adobe Security Bulletin APSB16-18:CVE-2016-4121, CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125, CVE-2016-4126, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4135, CVE-2016-4136, CVE-2016-4137, CVE-2016-4138, CVE-2016-4139, CVE-2016-4140, CVE-2016-4141, CVE-2016-4142, CVE-2016-4143, CVE-2016-4144, CVE-2016-4145, CVE-2016-4146, CVE-2016-4147, CVE-2016-4148, CVE-2016-4149, CVE-2016-4150, CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155, CVE-2016-4156, CVE-2016-4166, CVE-2016-4171The following software versions or editions are affected.
Versions or editions that are not listed are either past their support life cycle or are not affected.

To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle. Operating System Component Aggregate Severity and Impact Updates Replaced*   Windows 8.1 Windows 8.1 for 32-bit Systems Adobe Flash Player(3167685) CriticalRemote Code Execution 3163207 in MS16-064 Windows 8.1 for x64-based Systems Adobe Flash Player(3167685) CriticalRemote Code Execution 3163207 in MS16-064 Windows Server 2012 and Windows Server 2012 R2 Windows Server 2012 Adobe Flash Player(3167685) ModerateRemote Code Execution 3163207 in MS16-064 Windows Server 2012 R2 Adobe Flash Player(3167685) ModerateRemote Code Execution 3163207 in MS16-064 Windows RT 8.1 Windows RT 8.1[1] Adobe Flash Player(3167685) CriticalRemote Code Execution 3163207 in MS16-064 Windows 10 Windows 10 for 32-bit Systems[2] Adobe Flash Player(3167685) CriticalRemote Code Execution 3163207 in MS16-064 Windows 10 for x64-based Systems[2] Adobe Flash Player(3167685) CriticalRemote Code Execution 3163207 in MS16-064 Windows 10 Version 1511 for 32-bit Systems[2] Adobe Flash Player(3167685) CriticalRemote Code Execution 3163207 in MS16-064 Windows 10 Version 1511 for x64-based Systems[2] Adobe Flash Player(3167685) CriticalRemote Code Execution 3163207 in MS16-064 [1]This update is available via Windows Update.[2]The Adobe Flash Player updates for Windows 10 updates are available via Windows Update or via the Microsoft Update Catalog.Note  Windows Server 2016 Technical Preview 5 is affected; the aggregate severity rating is Critical and the impact is Moderate, Remote Code Execution.

Customers running this operating system are encouraged to apply the update, which is available via Windows Update.*The Updates Replaced column shows only the latest update in any chain of superseded updates.

For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).How could an attacker exploit these vulnerabilities? In a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a specially crafted website that is designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website.

An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine.

The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements.

These websites could contain specially crafted content that could exploit any of these vulnerabilities.
In all cases, however, an attacker would have no way to force users to view the attacker-controlled content.
Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email.In a web-based attack scenario where the user is using Internet Explorer in the Windows 8-style UI, an attacker would first need to compromise a website already listed in the Compatibility View (CV) list.

An attacker could then host a website that contains specially crafted Flash content designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website.

An attacker would have no way to force users to view the attacker-controlled content.
Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email.

For more information about Internet Explorer and the CV List, please see the MSDN Article, Developer Guidance for websites with content for Adobe Flash Player in Windows 8.Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability.

The following mitigating factors may be helpful in your situation:In a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a website that contains a webpage that is used to exploit any of these vulnerabilities.
In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit any of these vulnerabilities.
In all cases, however, an attacker would have no way to force users to visit these websites.
Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website. Internet Explorer in the Windows 8-style UI will only play Flash content from sites listed on the Compatibility View (CV) list.

This restriction requires an attacker to first compromise a website already listed on the CV list.

An attacker could then host specially crafted Flash content designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website.

An attacker would have no way to force users to view the attacker-controlled content.
Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email. By default, all supported versions of Microsoft Outlook and Windows Live Mail open HTML email messages in the Restricted sites zone.

The Restricted sites zone, which disables scripts and ActiveX controls, helps reduce the risk of an attacker being able to use any of these vulnerabilities to execute malicious code.
If a user clicks a link in an email message, the user could still be vulnerable to exploitation of any of these vulnerabilities through the web-based attack scenario. By default, Internet Explorer on Windows Server 2012 and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration.

This mode can help reduce the likelihood of the exploitation of these Adobe Flash Player vulnerabilities in Internet Explorer. Workaround refers to a setting or configuration change that would help block known attack vectors before you apply the update.Prevent Adobe Flash Player from running You can disable attempts to instantiate Adobe Flash Player in Internet Explorer and other applications that honor the kill bit feature, such as Office 2007 and Office 2010, by setting the kill bit for the control in the registry. Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. To set the kill bit for the control in the registry, perform the following steps: Paste the following into a text file and save it with the .reg file extension. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}] "Compatibility Flags"=dword:00000400 Double-click the .reg file to apply it to an individual system.You can also apply this workaround across domains by using Group Policy.

For more information about Group Policy, see the TechNet article, Group Policy collection. Note You must restart Internet Explorer for your changes to take effect. Impact of workaround.

There is no impact as long as the object is not intended to be used in Internet Explorer. How to undo the workaround. Delete the registry keys that were added in implementing this workaround.  Prevent Adobe Flash Player from running in Internet Explorer through Group Policy Note The Group Policy MMC snap-in can be used to set policy for a machine, for an organizational unit, or for an entire domain.

For more information about Group Policy, visit the following Microsoft Web sites: Group Policy Overview What is Group Policy Object Editor? Core Group Policy tools and settings To disable Adobe Flash Player in Internet Explorer through Group Policy, perform the following steps: Note This workaround does not prevent Flash from being invoked from other applications, such as Microsoft Office 2007 or Microsoft Office 2010. Open the Group Policy Management Console and configure the console to work with the appropriate Group Policy object, such as local machine, OU, or domain GPO. Navigate to the following node:Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Add-on Management Double-click Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects. Change the setting to Enabled. Click Apply and then click OK to return to the Group Policy Management Console. Refresh Group Policy on all systems or wait for the next scheduled Group Policy refresh interval for the settings to take effect.  Prevent Adobe Flash Player from running in Office 2010 on affected systems Note This workaround does not prevent Adobe Flash Player from running in Internet Explorer. Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. For detailed steps that you can use to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797.

Follow the steps in the article to create a Compatibility Flags value in the registry to prevent a COM object from being instantiated in Internet Explorer. To disable Adobe Flash Player in Office 2010 only, set the kill bit for the ActiveX control for Adobe Flash Player in the registry using the following steps: Create a text file named Disable_Flash.reg with the following contents: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM\Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}] "Compatibility Flags"=dword:00000400 Double-click the .reg file to apply it to an individual system. Note You must restart Internet Explorer for your changes to take effect. You can also apply this workaround across domains by using Group Policy.

For more information about Group Policy, see the TechNet article, Group Policy collection. Prevent ActiveX controls from running in Office 2007 and Office 2010 To disable all ActiveX controls in Microsoft Office 2007 and Microsoft Office 2010, including Adobe Flash Player in Internet Explorer, perform the following steps: Click File, click Options, click Trust Center, and then click Trust Center Settings. Click ActiveX Settings in the left-hand pane, and then select Disable all controls without notifications. Click OK to save your settings. Impact of workaround. Office documents that use embedded ActiveX controls may not display as intended. How to undo the workaround. To re-enable ActiveX controls in Microsoft Office 2007 and Microsoft Office 2010, perform the following steps: Click File, click Options, click Trust Center, and then click Trust Center Settings. Click ActiveX Settings in the left-hand pane, and then deselect Disable all controls without notifications. Click OK to save your settings. Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones You can help protect against exploitation of these vulnerabilities by changing your settings for the Internet security zone to block ActiveX controls and Active Scripting. You can do this by setting your browser security to High. To raise the browsing security level in Internet Explorer, perform the following steps: On the Internet Explorer Tools menu, click Internet Options. In the Internet Options dialog box, click the Security tab, and then click Internet. Under Security level for this zone, move the slider to High.

This sets the security level for all websites you visit to High. Click Local intranet. Under Security level for this zone, move the slider to High.

This sets the security level for all websites you visit to High. Click OK to accept the changes and return to Internet Explorer. Note If no slider is visible, click Default Level, and then move the slider to High. Note Setting the level to High may cause some websites to work incorrectly.
If you have difficulty using a website after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites.

This will allow the site to work correctly even with the security setting set to High. Impact of workaround. There are side effects to blocking ActiveX Controls and Active Scripting. Many websites on the Internet or an intranet use ActiveX or Active Scripting to provide additional functionality.

For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements.

Blocking ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites.
If you do not want to block ActiveX Controls or Active Scripting for such sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone".   Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone You can help protect against exploitation of these vulnerabilities by changing your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.

To do this, perform the following steps: In Internet Explorer, click Internet Options on the Tools menu. Click the Security tab. Click Internet, and then click Custom Level. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK. Click Local intranet, and then click Custom Level. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK. Click OK to return to Internet Explorer, and then click OK again. Note Disabling Active Scripting in the Internet and Local intranet security zones may cause some websites to work incorrectly.
If you have difficulty using a website after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites.

This will allow the site to work correctly. Impact of workaround. There are side effects to prompting before running Active Scripting. Many websites that are on the Internet or on an intranet use Active Scripting to provide additional functionality.

For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround.

For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting.
If you do not want to be prompted for all these sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone".   Add sites that you trust to the Internet Explorer Trusted sites zone After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone.

This will allow you to continue to use trusted websites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone. To do this, perform the following steps: In Internet Explorer, click Tools, click Internet Options, and then click the Security tab. In the Select a web content zone to specify its current security settings box, click Trusted Sites, and then click Sites. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box. In the Add this website to the zone box, type the URL of a site that you trust, and then click Add. Repeat these steps for each site that you want to add to the zone. Click OK two times to accept the changes and return to Internet Explorer. Note Add any sites that you trust not to take malicious action on your system.

Two sites in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com.

These are the sites that will host the update, and they require an ActiveX control to install the update. For Security Update Deployment information, see the Microsoft Knowledge Base article referenced here in the Executive Summary.Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure.
See Acknowledgments for more information.The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose.
In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.V1.0 (June 16, 2016): Bulletin published. Page generated 2016-06-15 17:38-07:00.
The following software versions or editions are affected.
Versions or editions that are not listed are either past their support life cycle or are not affected.

To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability.

For information regarding the likelihood, within 30 days of this security bulletin’s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the June bulletin summary.[2]Windows 10 updates are cumulative.

The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates.

The updates are available via the Microsoft Update Catalog.Note Windows Server 2016 Technical Preview 5 is affected.

Customers running this operating system are encouraged to apply the update, which is available via Windows Update.*The Updates Replaced column shows only the latest update in any chain of superseded updates.

For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).
Microsoft Edge Security Feature Bypass – CVE-2016-3198 A security feature bypass exists in Microsoft Edge when the Edge Content Security Policy (CSP) fails to properly validate certain specially crafted documents.

An attacker who exploited the bypass could trick a user into loading a page containing malicious content. To exploit the bypass, an attacker must trick a user into either loading a page containing malicious content or visiting a malicious website.

The attacker could also inject the malicious page into either a compromised website or an advertisement network.

The update addresses the bypass by correcting how the Edge CSP validates documents. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Microsoft Edge Security Feature Bypass CVE-2016-3198 No No Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds Microsoft has not identified any workarounds for this vulnerability. Multiple Scripting Engine Memory Corruption Vulnerabilities Multiple remote code execution vulnerabilities exist in the way that the Chakra JavaScript engine renders when handling objects in memory in Microsoft Edge.

The vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user.
If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerabilities could take control of an affected system.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerabilities through Microsoft Edge and then convince a user to view the website.

An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the Edge rendering engine.

The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements.

These websites could contain specially crafted content that could exploit the vulnerabilities.

The update addresses the vulnerabilities by modifying how the Chakra JavaScript scripting engine handles objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Scripting Engine Memory Corruption Vulnerability CVE-2016-3199 No No Scripting Engine Memory Corruption Vulnerability CVE-2016-3202 No No Scripting Engine Memory Corruption Vulnerability CVE-2016-3214 No No Microsoft Edge Memory Corruption Vulnerability CVE-2016-3222 Yes No Mitigating Factors Microsoft has not identified any mitigating factors for these vulnerabilities. Workarounds Microsoft has not identified any workarounds for these vulnerabilities. Multiple Windows PDF Information Disclosure Vulnerabilities Information disclosure vulnerabilities exist in Microsoft Windows when a user opens a specially crafted .pdf file.

An attacker who successfully exploited the vulnerabilities could read information in the context of the current user. To exploit the vulnerabilities, an attacker would have to trick the user into opening the .pdf file.

The update addresses the vulnerabilities by modifying how Windows parses .pdf files. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Windows PDF Information Disclosure Vulnerability CVE-2016-3201 No No Windows PDF Information Disclosure Vulnerability CVE-2016-3215 No No Mitigating Factors Microsoft has not identified any mitigating factors for these vulnerabilities. Workarounds Microsoft has not identified any workarounds for these vulnerabilities. Windows PDF Remote Code Execution Vulnerability - CVE-2016-3203 A remote code execution vulnerability exists in Microsoft Windows if a user opens a specially crafted .pdf file.

An attacker who successfully exploited the vulnerability could cause arbitrary code to execute in the context of the current user. To exploit the vulnerability, an attacker must entice the user to open a specially crafted .pdf file.

The update addresses the vulnerabilities by modifying how Windows parses .pdf files. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Windows PDF Remote Code Execution Vulnerability CVE-2016-3203 No No Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds Microsoft has not identified any workarounds for this vulnerability.
Multiple Microsoft Office Memory Corruption Vulnerabilities Multiple remote code execution vulnerabilities exist in Microsoft Office software when the Office software fails to properly handle objects in memory.

An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user.
If the current user is logged on with administrative user rights, an attacker could take control of the affected system.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerabilities requires that a user open a specially crafted file with an affected version of Microsoft Office software.
In an email attack scenario an attacker could exploit the vulnerabilities by sending the specially crafted file to the user and convincing the user to open the file.
In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerabilities.

An attacker would have no way to force users to visit the website.
Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince them to open the specially crafted file. Note that where the severity is indicated as Critical in the Affected Software and Vulnerability Severity Ratings table, the Preview Pane is an attack vector for CVE-2016-0025.

The security update addresses the vulnerability by correcting how Office handles objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Microsoft Office Memory Corruption Vulnerability CVE-2016-0025 No No Microsoft Office Memory Corruption Vulnerability CVE-2016-3233 No No Mitigating Factors Microsoft has not identified any mitigating factors for these vulnerabilities. Workarounds Microsoft has not identified any workarounds for this vulnerability. Microsoft Office Information Disclosure Vulnerability – CVE-2016-3234 An information disclosure vulnerability exists when Microsoft Office improperly discloses the contents of its memory.

An attacker who exploited the vulnerability could use the information to compromise the user’s computer or data.

To exploit the vulnerability, an attacker could craft a special document file, and then convince the victim to open it.

An attacker must know the memory address location where the object was created.

The update addresses the vulnerability by changing the way certain functions handle objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Microsoft Office Information Disclosure Vulnerability CVE-2016-3234 No No Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds The following workaround may be helpful in your situation: Workaround for CVE-2016-3234 Use Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. For Office 2007 Run regedit.exe as Administrator and navigate to the following subkey: [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock] Set the RtfFiles DWORD value to 1. Note To use 'FileOpenBlock' with Office 2007, all of the latest Office 2007 security updates as of May 2007 must be applied. For Office 2010 Run regedit.exe as Administrator and navigate to the following subkey: [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock] Set the RtfFiles DWORD value to 2. Set the OpenInProtectedView DWORD value to 0. For Office 2013 Run regedit.exe as Administrator and navigate to the following subkey: [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock] Set the RtfFiles DWORD value to 2. Set the OpenInProtectedView DWORD value to 0. Impact of Workaround. Users who have configured the File Block policy and have not configured a special “exempt directory” as discussed in Microsoft Knowledge Base Article 922849 will be unable to open documents saved in the RTF format. How to undo the workaround For Office 2007 Run regedit.exe as Administrator and navigate to the following subkey: [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock] Set the RtfFiles DWORD value to 0. For Office 2010 Run regedit.exe as Administrator and navigate to the following subkey: [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock] Set the RtfFiles DWORD value to 0. Leave the OpenInProtectedView DWORD value set to 0. For Office 2013 Run regedit.exe as Administrator and navigate to the following subkey: [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock] Set the RtfFiles DWORD value to 0. Leave the OpenInProtectedView DWORD value set to 0. Prevent Word from loading RTF files Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. Interactive managed script method For Word 2007 Click Start, click Run, in the Open box, type regedit, and then click OK. Locate and then click the following registry subkey: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock Note that if the FileOpenBlock subkey does not exist, you must create it.

To do this, follow these steps: Select the Security subkey. On the Edit menu, point to New, and then click Key. Type FileOpenBlock, and then press Enter. After you select the FileOpenBlock subkey, locate the DWORD value RtfFiles. Note that if this value does not exist, you must create it.

To do this, follow these steps: On the Edit menu, point to New, and then click DWORD value. Type RtfFiles and then press Enter. Right-click RtfFiles and then click Modify. In the Value data box, type 1, and then click OK. On the File menu, click Exit to exit Registry Editor. Managed deployment script method For Word 2007 Save the following to a file with a .reg extension (For example Disable_RTF_In_Word.reg): [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock] "RtfFiles"=dword:00000001 Run the above registry script created in step 1 on the target machine with the following command from an administrator command prompt: Regedit / s Disable_RTF_In_Word.reg Note RTF files will not be readable by Word. Microsoft Office OLE DLL Side Loading Vulnerability – CVE-2016-3235 A remote code execution vulnerability exists when Windows improperly validates input before loading libraries.

An attacker who successfully exploited the vulnerability could take control of an affected system.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerability, an attacker would need access to the local system and the ability to execute a specially crafted application on the system.

The security update addresses the vulnerability by correcting how Windows validates input before loading libraries. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Microsoft Office OLE DLL Side Loading Vulnerability CVE-2016-3235 No No Mitigating Factors Microsoft has not identified any mitigating factors for these vulnerabilities. Workarounds Microsoft has not identified any workarounds for this vulnerability.
Security Update for Microsoft Windows DNS Server (3164065)Published: June 14, 2016Version: 1.0This security update resolves a vulnerability in Microsoft Windows.

The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server.This security update is rated Critical for all supported releases of Windows Server 2012 and Windows Server 2012 R2.

For more information, see the Affected Software and Vulnerability Severity Ratings section.The security update addresses the vulnerability by modifying how DNS servers handle requests.

For more information about the vulnerability, see the Vulnerability Information section.For more information about this update, see Microsoft Knowledge Base Article 3164065.The following software versions or editions are affected.
Versions or editions that are not listed are either past their support life cycle or are not affected.

To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.The following severity ratings assume the potential maximum impact of the vulnerability.

For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the June bulletin summary.Note Windows Server Technical Preview 5 is affected.

Customers running this operating system are encouraged to apply the update, which is available via Windows Update.*The Updates Replaced column shows only the latest update in any chain of superseded updates.

For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).Windows DNS Server Use After Free Vulnerability – CVE-2016-3227A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests.

An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.

The update addresses the vulnerability by modifying how Windows DNS servers handle requests.The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability Title CVE number Publicly disclosed Exploited Windows DNS Server Use After Free Vulnerability CVE-2016-3227 No No Mitigating FactorsMicrosoft has not identified any mitigating factors for this vulnerability.WorkaroundsMicrosoft has not identified any workarounds for this vulnerability.For Security Update Deployment information, see the Microsoft Knowledge Base article referenced here in the Executive Summary.Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure.
See Acknowledgments for more information.The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose.
In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.V1.0 (June 14, 2016): Bulletin published. Page generated 2016-06-08 09:48-07:00.
The following software versions or editions are affected.
Versions or editions that are not listed are either past their support life cycle or are not affected.

To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability.

For information regarding the likelihood, within 30 days of this security bulletin’s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the April bulletin summary.[2]Windows 10 updates are cumulative.

The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates.

The updates are available via the Microsoft Update Catalog.Note Windows Server 2016 Technical Preview 4 and Windows Server 2016 Technical Preview 5 are affected.

Customers running these operating systems are encouraged to apply the update, which is available via Windows Update.*The Updates Replaced column shows only the latest update in any chain of superseded updates.

For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).*The Updates Replaced column shows only the latest update in any chain of superseded updates.

For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).Unspecified formatting error.[1]Windows 10 updates are cumulative.

The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates.

The updates are available via the Microsoft Update Catalog.Note Windows Server 2016 Technical Preview 4 and Windows Server 2016 Technical Preview 5 are affected.

Customers running these operating systems are encouraged to apply the update, which is available via Windows Update.[1]Before installing this update, you must have update 2965218 and security update 3039779 installed.
See the Update FAQ for more information.*The Updates Replaced column shows only the latest update in a chain of superseded updates.

For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is on the Package Details tab).
Security Update for Microsoft Windows Search Component (3165270)Published: June 14, 2016Version: 1.0This security update resolves a vulnerability in Microsoft Windows.

The vulnerability could allow denial of service if an attacker logs on to a target system and runs a specially crafted application.This security update is rated Important for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

For more information, see the Affected Software and Vulnerability Severity Ratings section.The update addresses the vulnerability by correcting how the Windows Search component handles objects in memory.

For more information about the vulnerability, see the Vulnerability Information section.For more information about this update, see Microsoft Knowledge Base Article 3165270.The following software versions or editions are affected.
Versions or editions that are not listed are either past their support life cycle or are not affected.

To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability.

For information regarding the likelihood, within 30 days of this security bulletin’s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the June bulletin summary.[1]This update is only available via Windows Update.[2]Windows 10 updates are cumulative.

The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates.

The updates are available via the Microsoft Update Catalog.Note Windows Server Technical Preview 5 is affected.

Customers running this operating system are encouraged to apply the update, which is available via Windows Update.*The Updates Replaced column shows only the latest update in any chain of superseded updates.

For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).Does this update contain any additional security-related changes to functionality? In addition to the changes that are listed for the vulnerabilities described in this bulletin, this update includes defense-in-depth updates to help improve credential protection and domain authentication controls to reduce credential theft.Windows Search Component Denial of Service Vulnerability - CVE-2016-3230This vulnerability occurs when the Windows Search component fails to properly handle certain objects in memory.

An attacker who successfully exploited this vulnerability could cause server performance to degrade sufficiently to cause a denial of service condition.

To exploit this vulnerability, an attacker could use it to cause a denial of service attack and disrupt server availability.

The update addresses the vulnerability by correcting how the Windows Search component handles objects in memory.The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability Title CVE number Publicly disclosed Exploited Windows Search Component Denial of Service Vulnerability CVE-2016-3230 Yes No Mitigating FactorsMicrosoft has not identified any mitigating factors for this vulnerability.WorkaroundsMicrosoft has not identified any workarounds for this vulnerability.For Security Update Deployment information, see the Microsoft Knowledge Base article referenced here in the Executive Summary.Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure.
See Acknowledgments for more information.The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose.
In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.V1.0 (June 14, 2016): Bulletin published. Page generated 2016-06-10 15:46-07:00.
The following tables list the bulletins in order of major software category and severity.Use these tables to learn about the security updates that you may need to install. You should review each software program or component listed to see whether any security updates pertain to your installation.
If a software program or component is listed, then the severity rating of the software update is also listed.Note You may have to install several security updates for a single vulnerability. Review the whole column for each bulletin identifier that is listed to verify the updates that you have to install, based on the programs or components that you have installed on your system. Windows Vista Bulletin Identifier MS16-037 MS16-038 MS16-039 MS16-040 MS16-041 MS16-044 Aggregate Severity Rating Critical None Critical Critical Important Important Windows Vista Service Pack 2 Internet Explorer 9(3148198)(Critical) Not applicable Windows Vista Service Pack 2(3145739)(Critical)Microsoft .NET Framework 3.0 Service Pack 2(3142041)(Critical) Microsoft XML Core Services 3.0(3146963)(Critical) Microsoft .NET Framework 4.6(3143693)(Important) Windows Vista Service Pack 2(3146706)(Important) Windows Vista x64 Edition Service Pack 2 Internet Explorer 9(3148198)(Critical) Not applicable Windows Vista x64 Edition Service Pack 2(3145739)(Critical)Microsoft .NET Framework 3.0 Service Pack 2(3142041)(Critical) Microsoft XML Core Services 3.0(3146963)(Critical) Microsoft .NET Framework 4.6(3143693)(Important) Windows Vista x64 Edition Service Pack 2(3146706)(Important) Windows Server 2008 Bulletin Identifier                                                  MS16-037 MS16-038 MS16-039 MS16-040 MS16-041 MS16-044 Aggregate Severity Rating Moderate None Critical Critical Important Important Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 9(3148198)(Moderate) Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2(3145739)(Critical)Microsoft .NET Framework 3.0 Service Pack 2(3142041)(Critical) Microsoft XML Core Services 3.0(3146963)(Critical) Microsoft .NET Framework 4.6(3143693)(Important) Windows Server 2008 for 32-bit Systems Service Pack 2(3146706)(Important) Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 9(3148198)(Moderate) Not applicable Windows Server 2008 for x64-based Systems Service Pack 2(3145739)(Critical)Microsoft .NET Framework 3.0 Service Pack 2(3142041)(Critical) Microsoft XML Core Services 3.0(3146963)(Critical) Microsoft .NET Framework 4.6(3143693)(Important) Windows Server 2008 for x64-based Systems Service Pack 2(3146706)(Important) Windows Server 2008 for Itanium-based Systems Service Pack 2 Not applicable Not applicable Windows Server 2008 for Itanium-based Systems Service Pack 2(3145739)(Critical) Microsoft XML Core Services 3.0(3146963)(Critical) Not applicable Windows Server 2008 for Itanium-based Systems Service Pack 2(3146706)(Important) Windows 7 Bulletin Identifier                                                  MS16-037 MS16-038 MS16-039 MS16-040 MS16-041 MS16-044 Aggregate Severity Rating Critical None Critical Critical Important Important Windows 7 for 32-bit Systems Service Pack 1 Internet Explorer 11(3148198)(Critical) Not applicable Windows 7 for 32-bit Systems Service Pack 1(3145739)(Critical)Microsoft .NET Framework 3.5.1(3142042)(Critical) Microsoft XML Core Services 3.0(3146963)(Critical) Microsoft .NET Framework 4.6/4.6.1(3143693)(Important) Windows 7 for 32-bit Systems Service Pack 1(3146706)(Important) Windows 7 for x64-based Systems Service Pack 1 Internet Explorer 11(3148198)(Critical) Not applicable Windows 7 for x64-based Systems Service Pack 1(3145739)(Critical)Microsoft .NET Framework 3.5.1(3142042)(Critical) Microsoft XML Core Services 3.0(3146963)(Critical) Microsoft .NET Framework 4.6/4.6.1(3143693)(Important) Windows 7 for x64-based Systems Service Pack 1(3146706)(Important) Windows Server 2008 R2 Bulletin Identifier                                                  MS16-037 MS16-038 MS16-039 MS16-040 MS16-041 MS16-044 Aggregate Severity Rating Moderate None Critical Critical Important Important Windows Server 2008 R2 for x64-based Systems Service Pack 1 Internet Explorer 11(3148198)(Moderate) Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1(3145739)(Critical)Microsoft .NET Framework 3.5.1(3142042)(Critical) Microsoft XML Core Services 3.0(3146963)(Critical) Microsoft .NET Framework 4.6/4.6.1(3143693)(Important) Windows Server 2008 R2 for x64-based Systems Service Pack 1(3146706)(Important) Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Not applicable Not applicable Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3145739)(Critical) Microsoft XML Core Services 3.0(3146963)(Critical) Not applicable Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3146706)(Important) Windows 8.1 Bulletin Identifier                                                  MS16-037 MS16-038 MS16-039 MS16-040 MS16-041 MS16-044 Aggregate Severity Rating Critical None Critical Critical None Important Windows 8.1 for 32-bit Systems Internet Explorer 11(3148198)(Critical) Not applicable Windows 8.1 for 32-bit Systems(3145739)(Critical)Microsoft .NET Framework 3.5(3142045)(Critical) Microsoft XML Core Services 3.0(3146963)(Critical) Not applicable Windows 8.1 for 32-bit Systems(3146706)(Important) Windows 8.1 for x64-based Systems Internet Explorer 11(3148198)(Critical) Not applicable Windows 8.1 for x64-based Systems(3145739)(Critical)Microsoft .NET Framework 3.5(3142045)(Critical) Microsoft XML Core Services 3.0(3146963)(Critical) Not applicable Windows 8.1 for x64-based Systems(3146706)(Important) Windows Server 2012 and Windows Server 2012 R2 Bulletin Identifier                                                  MS16-037 MS16-038 MS16-039 MS16-040 MS16-041 MS16-044 Aggregate Severity Rating Moderate None Critical Critical None Important Windows Server 2012 Internet Explorer 10(3148198)(Moderate) Not applicable Windows Server 2012(3145739)(Critical)Microsoft .NET Framework 3.5(3142043)(Critical) Microsoft XML Core Services 3.0(3146963)(Critical) Not applicable Windows Server 2012(3146706)(Important) Windows Server 2012 R2 Internet Explorer 11(3148198)(Moderate) Not applicable Windows Server 2012 R2(3145739)(Critical)Microsoft .NET Framework 3.5(3142045)(Critical) Microsoft XML Core Services 3.0(3146963)(Critical) Not applicable Windows Server 2012 R2(3146706)(Important) Windows RT 8.1 Bulletin Identifier                                                  MS16-037 MS16-038 MS16-039 MS16-040 MS16-041 MS16-044 Aggregate Severity Rating Critical None Critical Critical None Important Windows RT 8.1 Internet Explorer 11(3148198)(Critical) Not applicable Windows RT 8.1(3145739)(Critical) Microsoft XML Core Services 3.0(3146963)(Critical) Not applicable Windows RT 8.1(3146706)(Important) Windows 10 Bulletin Identifier                                                  MS16-037 MS16-038 MS16-039 MS16-040 MS16-041 MS16-044 Aggregate Severity Rating Critical Critical Critical Critical None None Windows 10 for 32-bit Systems Internet Explorer 11(3147461)(Critical) Microsoft Edge(3147461)(Critical) Windows 10 for 32-bit Systems(3147461)(Critical)Microsoft .NET Framework 3.5(3147461)(Critical) Microsoft XML Core Services 3.0(3147461)(Critical) Not applicable Not applicable Windows 10 for x64-based Systems Internet Explorer 11(3147461)(Critical) Microsoft Edge(3147461)(Critical) Windows 10 for x64-based Systems(3147461)(Critical)Microsoft .NET Framework 3.5(3147461)(Critical) Microsoft XML Core Services 3.0(3147461)(Critical) Not applicable Not applicable Windows 10 Version 1511 for 32-bit Systems Internet Explorer 11(3147458)(Critical) Microsoft Edge(3147458)(Critical) Windows 10 Version 1511 for 32-bit Systems(3147458)(Critical)Microsoft .NET Framework 3.5(3147458)(Critical) Microsoft XML Core Services 3.0(3147458)(Critical) Not applicable Not applicable Windows 10 Version 1511 for x64-based Systems Internet Explorer 11(3147458)(Critical) Microsoft Edge(3147458)(Critical) Windows 10 Version 1511 for x64-based Systems(3147458)(Critical)Microsoft .NET Framework 3.5(3147458)(Critical) Microsoft XML Core Services 3.0(3147458)(Critical) Not applicable Not applicable Server Core installation option Bulletin Identifier                                                  MS16-037 MS16-038 MS16-039 MS16-040 MS16-041 MS16-044 Aggregate Severity Rating None None Critical Critical Important Important Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation) Not applicable Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)(3145739)(Critical) Microsoft XML Core Services 3.0(3146963)(Critical) Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)(3146706)(Important) Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation) Not applicable Not applicable Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)(3145739)(Critical) Microsoft XML Core Services 3.0(3146963)(Critical) Not applicable Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)(3146706)(Important) Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation) Not applicable Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(3145739)(Critical)Microsoft .NET Framework 3.5.1(3142042)(Critical) Microsoft XML Core Services 3.0(3146963)(Critical) Microsoft .NET Framework 4.6/4.6.1(3143693)(Important) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(3146706)(Important) Windows Server 2012(Server Core installation) Not applicable Not applicable Windows Server 2012 (Server Core installation)(3145739)(Critical)Microsoft .NET Framework 3.5(3142043)(Critical) Microsoft XML Core Services 3.0(3146963)(Critical) Not applicable Windows Server 2012 (Server Core installation)(3146706)(Important) Windows Server 2012 R2(Server Core installation) Not applicable Not applicable Windows Server 2012 R2 (Server Core installation)(3145739)(Critical)Microsoft .NET Framework 3.5(3142045)(Critical) Microsoft XML Core Services 3.0(3146963)(Critical) Not applicable Windows Server 2012 R2 (Server Core installation)(3146706)(Important) This bulletin spans more than one software category.
See the other tables in this section for additional affected software. Windows Vista Bulletin Identifier                                                  MS16-045 MS16-046 MS16-047 MS16-048 MS16-049 MS16-050 Aggregate Severity Rating None None Important None None None Windows Vista Service Pack 2 Not applicable Not applicable Windows Vista Service Pack 2(3149090)(Important) Not applicable Not applicable Not applicable Windows Vista x64 Edition Service Pack 2 Not applicable Not applicable Windows Vista x64 Edition Service Pack 2(3149090)(Important) Not applicable Not applicable Not applicable Windows Server 2008 Bulletin Identifier                                                  MS16-045 MS16-046 MS16-047 MS16-048 MS16-049 MS16-050 Aggregate Severity Rating None None Important None None None Windows Server 2008 for 32-bit Systems Service Pack 2 Not applicable Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2(3149090)(Important) Not applicable Not applicable Not applicable Windows Server 2008 for x64-based Systems Service Pack 2 Not applicable Not applicable Windows Server 2008 for x64-based Systems Service Pack 2(3149090)(Important) Not applicable Not applicable Not applicable Windows Server 2008 for Itanium-based Systems Service Pack 2 Not applicable Not applicable Windows Server 2008 for Itanium-based Systems Service Pack 2(3149090)(Important) Not applicable Not applicable Not applicable Windows 7 Bulletin Identifier                                                  MS16-045 MS16-046 MS16-047 MS16-048 MS16-049 MS16-050 Aggregate Severity Rating None None Important None None None Windows 7 for 32-bit Systems Service Pack 1 Not applicable Not applicable Windows 7 for 32-bit Systems Service Pack 1(3149090)(Important) Not applicable Not applicable Not applicable Windows 7 for x64-based Systems Service Pack 1 Not applicable Not applicable Windows 7 for x64-based Systems Service Pack 1(3149090)(Important) Not applicable Not applicable Not applicable Windows Server 2008 R2 Bulletin Identifier                                                  MS16-045 MS16-046 MS16-047 MS16-048 MS16-049 MS16-050 Aggregate Severity Rating None None Important None None None Windows Server 2008 R2 for x64-based Systems Service Pack 1 Not applicable Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1(3149090)(Important) Not applicable Not applicable Not applicable Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Not applicable Not applicable Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(3149090)(Important) Not applicable Not applicable Not applicable Windows 8.1 Bulletin Identifier                                                  MS16-045 MS16-046 MS16-047 MS16-048 MS16-049 MS16-050 Aggregate Severity Rating Important None Important Important None Critical Windows 8.1 for 32-bit Systems Not applicable Not applicable Windows 8.1 for 32-bit Systems(3149090)(Important) Windows 8.1 for 32-bit Systems(3146723)(Important) Not applicable Adobe Flash Player(3154132)(Critical) Windows 8.1 for x64-based Systems Windows 8.1 for x64-based Systems(3135456)(Important) Not applicable Windows 8.1 for x64-based Systems(3149090)(Important) Windows 8.1 for x64-based Systems(3146723)(Important) Not applicable Adobe Flash Player(3154132)(Critical) Windows Server 2012 and Windows Server 2012 R2 Bulletin Identifier                                                  MS16-045 MS16-046 MS16-047 MS16-048 MS16-049 MS16-050 Aggregate Severity Rating Important None Important Important None Moderate Windows Server 2012 Windows Server 2012(3135456)(Important) Not applicable Windows Server 2012(3149090)(Important) Windows Server 2012(3146723)(Important) Not applicable Adobe Flash Player(3154132)(Moderate) Windows Server 2012 R2 Windows Server 2012 R2(3135456)(Important) Not applicable Windows Server 2012 R2(3149090)(Important) Windows Server 2012 R2(3146723)(Important) Not applicable Adobe Flash Player(3154132)(Moderate) Windows RT 8.1 Bulletin Identifier                                                  MS16-045 MS16-046 MS16-047 MS16-048 MS16-049 MS16-050 Aggregate Severity Rating None None Important Important None Critical Windows RT 8.1 Not applicable Not applicable Windows RT 8.1(3149090)(Important) Windows RT 8.1(3146723)(Important) Not applicable Adobe Flash Player(3154132)(Critical) Windows 10 Bulletin Identifier                                                  MS16-045 MS16-046 MS16-047 MS16-048 MS16-049 MS16-050 Aggregate Severity Rating Important Important Important Important Important Critical Windows 10 for 32-bit Systems Not applicable Windows 10 for 32-bit Systems(3147461)(Important) Windows 10 for 32-bit Systems(3147461)(Important) Windows 10 for 32-bit Systems(3147461)(Important) Windows 10 for 32-bit Systems(3147461)(Important) Adobe Flash Player(3154132)(Critical) Windows 10 for x64-based Systems Windows 10 for x64-based Systems(3147461)(Important) Windows 10 for x64-based Systems(3147461)(Important) Windows 10 for x64-based Systems(3147461)(Important) Windows 10 for x64-based Systems(3147461)(Important) Windows 10 for x64-based Systems(3147461)(Important) Adobe Flash Player(3154132)(Critical) Windows 10 Version 1511 for 32-bit Systems Not applicable Windows 10 Version 1511 for 32-bit Systems(3147458)(Important) Windows 10 Version 1511 for 32-bit Systems(3147458)(Important) Windows 10 Version 1511 for 32-bit Systems(3147458)(Important) Windows 10 Version 1511 for 32-bit Systems(3147458)(Important) Adobe Flash Player(3154132)(Critical) Windows 10 Version 1511 for x64-based Systems Not applicable Windows 10 Version 1511 for x64-based Systems(3147458)(Important) Windows 10 Version 1511 for x64-based Systems(3147458)(Important) Windows 10 Version 1511 for x64-based Systems(3147458)(Important) Windows 10 Version 1511 for x64-based Systems(3147458)(Important) Adobe Flash Player(3154132)(Critical) Server Core installation option Bulletin Identifier                                                  MS16-045 MS16-046 MS16-047 MS16-048 MS16-049 MS16-050 Aggregate Severity Rating Important None Important Important None None Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation) Not applicable Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation)(3149090)(Important) Not applicable Not applicable Not applicable Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation) Not applicable Not applicable Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation)(3149090)(Important) Not applicable Not applicable Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation) Not applicable Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)(3149090)(Important) Not applicable Not applicable Not applicable Windows Server 2012(Server Core installation) Windows Server 2012(Server Core installation)(3135456)(Important) Not applicable Windows Server 2012(Server Core installation)(3149090)(Important) Windows Server 2012(Server Core installation)(3146723)(Important) Not applicable Not applicable Windows Server 2012 R2(Server Core installation) Windows Server 2012 R2(Server Core installation)(3135456)(Important) Not applicable Windows Server 2012 R2(Server Core installation)(3149090)(Important) Windows Server 2012 R2(Server Core installation)(3146723)(Important) Not applicable Not applicable Microsoft Office 2007 Bulletin Identifier MS16-039 MS16-042 Aggregate Severity Rating Important Critical Microsoft Office 2007 Service Pack 3 Microsoft Office 2007 Service Pack 3(3114542)(Important) Microsoft Excel 2007 Service Pack 3(3114892)(Important)Microsoft Word 2007 Service Pack 3(3114983)(Critical) Microsoft Office 2010 Bulletin Identifier MS16-039 MS16-042 Aggregate Severity Rating Important Critical Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Office 2010 Service Pack 2 (32-bit editions)(3114566)(Important) Microsoft Office 2010 Service Pack 2 (32-bit editions)(3114990)(Critical)Microsoft Excel 2010 Service Pack 2 (32-bit editions)(3114888)(Important)Microsoft Word 2010 Service Pack 2 (32-bit editions)(3114993)(Critical) Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Office 2010 Service Pack 2 (64-bit editions)(3114566)(Important) Microsoft Office 2010 Service Pack 2 (64-bit editions)(3114990)(Critical)Microsoft Excel 2010 Service Pack 2 (64-bit editions)(3114888)(Important)Microsoft Word 2010 Service Pack 2 (64-bit editions)(3114993)(Critical) Microsoft Office 2013 Bulletin Identifier MS16-039 MS16-042 Aggregate Severity Rating None Critical Microsoft Office 2013 Service Pack 1 (32-bit editions) Not applicable Microsoft Excel 2013 Service Pack 1 (32-bit editions)(3114947)(Important)Microsoft Word 2013 Service Pack 1 (32-bit editions)(3114937)(Critical) Microsoft Office 2013 Service Pack 1 (64-bit editions) Not applicable Microsoft Excel 2013 Service Pack 1 (64-bit editions)(3114947)(Important)Microsoft Word 2013 Service Pack 1 (64-bit editions)(3114937)(Critical) Microsoft Office 2013 RT Bulletin Identifier MS16-039 MS16-042 Aggregate Severity Rating None Critical Microsoft Office 2013 RT Service Pack 1 Not applicable Microsoft Excel 2013 RT Service Pack 1(3114947)(Important)Microsoft Word 2013 RT Service Pack 1(3114937)(Critical) Microsoft Office 2016 Bulletin Identifier MS16-039 MS16-042 Aggregate Severity Rating None Important Microsoft Office 2016 (32-bit edition) Not applicable Microsoft Excel 2016 (32-bit edition)(3114964)(Important) Microsoft Office 2016 (64-bit edition) Not applicable Microsoft Excel 2016 (64-bit edition)(3114964)(Important) Microsoft Office for Mac 2011 Bulletin Identifier MS16-039 MS16-042 Aggregate Severity Rating None Important Microsoft Office for Mac 2011 Not applicable Microsoft Word for Mac 2011(3154208)(Important) Microsoft Office 2016 for Mac Bulletin Identifier MS16-039 MS16-042 Aggregate Severity Rating None Important Microsoft Office 2016 for Mac Not applicable Microsoft Word 2016 for Mac(3142577)(Important) Other Office Software Bulletin Identifier MS16-039 MS16-042 Aggregate Severity Rating Important Critical Microsoft Office Compatibility Pack Service Pack 3 Not applicable Microsoft Office Compatibility Pack Service Pack 3(3114982)(Critical)Microsoft Office Compatibility Pack Service Pack 3(3114895)(Important) Microsoft Excel Viewer Not applicable Microsoft Excel Viewer(3114898)(Important) Microsoft Word Viewer Microsoft Word Viewer(3114985)(Important) Microsoft Word Viewer(3114987)(Critical) This bulletin spans more than one software category.
See the other tables in this section for additional affected software.This bulletin spans more than one software category.
See the other tables in this section for additional affected software. Skype for Business 2016 Bulletin Identifier MS16-039 Aggregate Severity Rating Critical Skype for Business 2016 (32-bit editions) Skype for Business 2016 (32-bit editions)(3114960)(Critical) Skype for Business Basic 2016 (32-bit editions) Skype for Business Basic 2016 (32-bit editions)(3114960)(Critical) Skype for Business 2016 (64-bit editions) Skype for Business 2016 (64-bit editions)(3114960)(Critical) Skype for Business Basic 2016 (64-bit editions) Skype for Business Basic 2016 (64-bit editions)(3114960)(Critical) Microsoft Lync 2013 Bulletin Identifier MS16-039 Aggregate Severity Rating Critical Microsoft Lync 2013 Service Pack 1 (32-bit)(Skype for Business) Microsoft Lync 2013 Service Pack 1 (32-bit)(Skype for Business)(3114944)(Critical) Microsoft Lync Basic 2013 Service Pack 1 (32-bit)(Skype for Business Basic) Microsoft Lync Basic 2013 Service Pack 1 (32-bit)(Skype for Business Basic)(3114944)(Critical) Microsoft Lync 2013 Service Pack 1 (64-bit)(Skype for Business) Microsoft Lync 2013 Service Pack 1 (64-bit)(Skype for Business)(3114944)(Critical) Microsoft Lync Basic 2013 Service Pack 1 (64-bit)(Skype for Business Basic) Microsoft Lync Basic 2013 Service Pack 1 (64-bit)(Skype for Business Basic)(3114944)(Critical) Microsoft Lync 2010 Bulletin Identifier MS16-039 Aggregate Severity Rating Critical Microsoft Lync 2010 (32-bit) Microsoft Lync 2010 (32-bit)(3144427)(Critical) Microsoft Lync 2010 (64-bit) Microsoft Lync 2010 (64-bit)(3144427)(Critical) Microsoft Lync 2010 Attendee(user level install) Microsoft Lync 2010 Attendee(user level install)(3144428)(Critical) Microsoft Lync 2010 Attendee(admin level install) Microsoft Lync 2010 Attendee(admin level install)(3144429)(Critical) Microsoft Live Meeting 2007 Console Bulletin Identifier MS16-039 Aggregate Severity Rating Critical Microsoft Live Meeting 2007 Console Microsoft Live Meeting 2007 Console(3144432)(Critical) This bulletin spans more than one software category.
See the other tables in this section for additional affected software.
Security Update for Microsoft Exchange Server (3160339)Published: June 14, 2016Version: 1.0This security update resolves vulnerabilites in Microsoft Exchange Server.

The most severe of the vulnerabilities could allow information disclosure if an attacker sends a specially crafted image URL in an Outlook Web Access (OWA) message that is loaded, without warning or filtering, from the attacker-controlled URL.This security update is rated Important for all supported editions of Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, Microsoft Exchange Server 2013, and Microsoft Exchange Server 2016.

For more information, see the Affected Software and Vulnerability Severity Ratings section.The security update addresses the vulnerabilities by correcting the way that Microsoft Exchange parses HTML messages.

For more information about the vulnerabilities, see the Vulnerability Information section.For more information about this update, see Microsoft Knowledge Base Article 3160339.The following software versions or editions are affected.
Versions or editions that are not listed are either past their support life cycle or are not affected.

To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability.

For information regarding the likelihood, within 30 days of this security bulletin’s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the June bulletin summary.*The Updates Replaced column shows only the latest update in any chain of superseded updates.

For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).Why is Microsoft issuing a security update for vulnerabilities that are in third-party code, Oracle Outside In libraries? Microsoft licenses a custom implementation of the Oracle Outside In libraries, specific to the product in which the third-party code is used. Microsoft is issuing this security update to help ensure that all customers using this third-party code in Microsoft Exchange are protected from these vulnerabilities.

For more information about these vulnerabilities, see Oracle Critical Patch Update Advisory - January 2016.Do these updates contain any additional security-related changes to functionality? The updates listed in the Affected Software and Vulnerability Severity Ratings table include defense-in-depth updates to help improve security-related features, in addition to the changes that are listed for the vulnerability described in this bulletin.Microsoft Exchange Information Disclosure Vulnerability - CVE-2016-0028An email filter bypass exists in the way that Microsoft Exchange parses HTML messages that could allow information disclosure.

An attacker who successfully exploited the vulnerability could identify, fingerprint, and track a user online if the user views email messages using Outlook Web Access (OWA).

An attacker could also combine this vulnerability with another one, such as a Cross-Site Request Forgery (CSRF), to amplify the attack.To exploit the vulnerability, an attacker could include specially crafted image URLs in OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL.

This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems.

The update corrects the way that Exchange parses HTML messages.The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Microsoft Exchange Information Disclosure Vulnerability CVE-2016-0028 No No Mitigating FactorsMicrosoft has not identified any mitigating factors for this vulnerability.WorkaroundsMicrosoft has not identified any workarounds for this vulnerability.Oracle Outside In Libraries Elevation of Privilege VulnerabilitiesThis security update addresses the following vulnerabilities, which are described in Oracle Critical Patch Update Advisory - January 2016:CVE-2015-6013: Oracle Outside In 8.5.2 WK4 stack buffer overflow CVE-2015-6014: Oracle Outside In 8.5.2 DOC stack buffer overflow CVE-2015-6015: Oracle OIT 8.5.2 Paradox DB stack buffer overflow For Security Update Deployment information, see the Microsoft Knowledge Base article referenced here in the Executive Summary.Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure.
See Acknowledgments for more information.The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose.
In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.V1.0 (June 14, 2016): Bulletin published. Page generated 2016-06-08 10:44-07:00.