Microsoft Security Bulletins June 2016 - gHacks Tech News

Microsoft Security Bulletins June 2016

This summary provides you with detailed information about the security bulletins that Microsoft released for its Windows operating system and other company products on June 14, 2016.

The guide lists all security and non-security patches, as well as security advisories that Microsoft released since the last patch day on May 10, 2016.

Each update is linked to Microsoft's Knowledge Base so that you can look it up in detail.

Apart from the list of patches, our overview provides you with information about the operating system and other Microsoft products distribution, an executive summary, and information on how to download the updates to Windows machines.

Microsoft Security Bulletins June 2016

Executive Summary

  • Microsoft released a total of 16 security bulletins on the June 2016 Patch Day.
  • 5 of the bulletins received the highest severity rating of critical, the remaining 11 bulletins a rating of important.
  • Affected products include all client and server versions of Microsoft Windows, Microsoft Office, and Microsoft Exchange.

Operating System Distribution

All client versions of Windows are affected critically by vulnerabilities described in MS16-063. Windows Vista on top of that is affected critically by MS16-069, and Windows 10 by MS16-068.

MS16-069 is a cumulative security update for JScript and VBScript, and MS16-068 an update for Microsoft Edge which is exclusively available for Windows 10.

The critical server vulnerability affects only Windows Server 2012 and 2012 R2. It is described as an update for Microsoft Windows DNS Server in the bulletin MS16-071.

  • Windows Vista: 2 critical, 2 important
  • Windows 7: 1 critical, 2 important
  • Windows 8.1: 1 critical, 3 important
  • Windows RT 8.1: 1 critical, 2 important
  • Windows 10: 2 critical, 4 important
  • Windows Server 2008: 3 important, 2 moderate
  • Windows Server 2008 R2: 4 important, 1 moderate
  • Windows Server 2012 and 2012 R2: 1 critical, 5 important, 1 moderate
  • Server core: 1 critical, 3 important, 1 moderate

Other Microsoft Products

All Office products are affected by vulnerabilities described in the bulletin MS16-070. Microsoft Exchange Server is affected by vulnerabilities described in MS16-079.

  • Microsoft Office 2007, 2010, 2013, 2013 RT, 2016: 1 critical
  • Microsoft Office for Mac 2011, 2016: 1 critical
  • Microsoft Office Compatibility Pack SP3: 1 important
  • Microsoft Visio Viewer 2007 SP3, 2010: 1 important
  • Microsoft Word Viewer: 1 important
  • Microsoft SharePoint Server 2010, 2013: 1 important
  • Microsoft Office Web Apps 2010, 2013: 1 important
  • Office Online Server: 1 important
  • Microsoft Exchange Server 2007, 2010, 2013, 2016: 1 important

Security Bulletins

MS16-063 - Cumulative Security Update for Internet Explorer (3163649) - Critical - Remote Code Execution

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

MS16-068 - Cumulative Security Update for Microsoft Edge (3163656) - Critical - Remote Code Execution

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge.

MS16-069 - Cumulative Security Update for JScript and VBScript (3163640) - Critical - Remote Code Execution

This security update resolves vulnerabilities in the JScript and VBScript scripting engines in Microsoft Windows. The vulnerabilities could allow remote code execution if a user visits a specially crafted website.

MS16-070 - Security Update for Microsoft Office (3163610) - Critical - Remote Code Execution

The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file.

MS16-071 - Security Update for Microsoft Windows DNS Server (3164065) - Critical - Remote Code Execution

The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server.

MS16-072 - Security Update for Group Policy (3163622) - Important - Elevation of Privilege

The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine.

MS16-073 - Security Update for Windows Kernel-Mode Drivers (3164028) - Important - Elevation of Privilege

The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

MS16-074 - Security Update for Microsoft Graphics Component (3164036) - Important - Elevation of Privilege

The most severe of the vulnerabilities could allow elevation of privilege if a user opens a specially crafted document or visits a specially crafted website.

MS16-075 - Security Update for Windows SMB Server (3164038) - Important - Elevation of Privilege

The vulnerability could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application.

MS16-076 - Security Update for Netlogon (3167691) - Important - Remote Code Execution

The vulnerability could allow remote code execution if an attacker with access to a domain controller (DC) on a target network runs a specially crafted application to establish a secure channel to the DC as a replica domain controller.

MS16-077 - Security Update for WPAD (3165191) - Important - Elevation of Privilege

The vulnerabilities could allow elevation of privilege if the Web Proxy Auto Discovery (WPAD) protocol falls back to a vulnerable proxy discovery process on a target system.

MS16-078 - Security Update for Windows Diagnostic Hub (3165479) - Important
Elevation of Privilege

The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

MS16-079 - Security Update for Microsoft Exchange Server (3160339) -  Important - Information Disclosure

This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow information disclosure if an attacker sends a specially crafted image URL in an Outlook Web Access (OWA) message that is loaded, without warning or filtering, from the attacker-controlled URL.

MS16-080 - Security Update for Microsoft Windows PDF (3164302) - Important - Remote Code Execution

The more severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted .pdf file. An attacker who successfully exploited the vulnerabilities could cause arbitrary code to execute in the context of the current user.

MS16-081 - Security Update for Active Directory (3160352) - Important - Denial of Service

This security update resolves a vulnerability in Active Directory. The vulnerability could allow denial of service if an authenticated attacker creates multiple machine accounts. To exploit the vulnerability an attacker must have an account that has privileges to join machines to the domain.

MS16-082 - Security Update for Microsoft Windows Search Component (3165270) - Important - Denial of Service

The vulnerability could allow denial of service if an attacker logs on to a target system and runs a specially crafted application.

Security advisories and updates

MS16-033: Security Update for Windows Embedded Standard 7 (KB3139398)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker with physical access inserts a specially crafted USB device into the system.

MS16-064: Security Update for Adobe Flash Player for Windows 10, Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows Embedded 8 Standard, and Windows Server 2012 (KB3163207)

MS16-064: Security update for Adobe Flash Player: May 13, 2016

MS16-065: Security Update for Microsoft .NET Framework 4.6 on Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista (KB3142037)

MS16-065: Description of the security update for the .NET Framework 4.6.1 in Windows 7 SP1 and Windows Server 2008 R2 SP1 and the .NET Framework 4.6 in Windows Vista SP2 and Windows Server 2008 SP2: May 10, 2016

Microsoft Security Advisory 2880823

Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program

Microsoft Security Advisory 3155527

Update to Cipher Suites for FalseStart

Non-security related updates

Update for Windows 7 (KB2952664)

Update for Windows 7 (KB2977759)

Update for Windows 8.1 and Windows 8 (KB2976978)

Compatibility update for upgrading Windows 7, 7 RTM, 8, 8.1. This update performs diagnostics on the Windows systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.

Update for Windows Embedded 8 Standard (KB3156416)

May 2016 update rollup for Windows Server 2012

Update for Windows 8.1 and Windows 7 (KB3035583)

This update installs the Get Windows 10 app that helps users understand their Windows 10 upgrade options and device readiness.

Update for Windows 8.1 and Windows 7 (KB3123862)

Updated capabilities to upgrade Windows 8.1 and Windows 7

Update for Windows 7 and Windows Server 2008 R2 (KB3125574)

Convenience rollup update for Windows 7 SP1 and Windows Server 2008 R2 SP1.

Update for Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows 7, and Windows Server 2008 R2 (KB3139923)

MSI repair doesn't work when MSI source is installed on an HTTP share in Windows

Update for Windows Server 2012 R2 (KB3155444)

PXE client computers freeze during multithread network transfers in Windows Server 2012 R2.

Update for Windows Server 2012 (KB3156416)

May 2016 update rollup for Windows Server 2012

Update for Windows 7 and Windows Server 2008 R2 (KB3156417)

May 2016 update rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1

Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB3156418)

May 2016 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

Update for Windows 10 (KB3159635)

Windows 10 Update Assistant: To help keep all Windows 10 systems secure and provide the latest features and improvements, the Windows 10 Update Assistant downloads and starts the setup for Windows 10 version 1511.

Update for Windows 10 (KB3147062)

Signing verification failure breaks audio functionality in Windows 10 Version 1511

Update for Windows 8.1, Windows 8, and Windows 7 (KB3150513)

May 2016 Compatibility Update for Windows

Update for Windows 10 (KB3152599)

Preinstalled system applications and Start menu may not work when you upgrade to Windows 10 Version 1511

How to download and install the June 2016 security updates

microsoft security bulletins june 2016

The security updates that Microsoft published on the June 2016 Patch Day are already available via Windows Update.

While the updates will get picked up eventually, it is possible to run a manual check for updates to speed up the process.

  1. Tap on the Windows-key, type Windows Update, and hit the Enter-key afterwards.
  2. Click on the check for updates button to run a manual check for new updates for the operating system.

Windows will check for updates and either download and install them automatically, only download them, or prompt you for actions.

Please note that it is recommended to research Windows updates before you install them to avoid issues after installing them.

Some updates are made available via Microsoft's Download Center, while all security updates via Microsoft's Update Catalog.

All security updates are also made available via security ISO images that Microsoft releases on a monthly basis.

Additional resources

Summary
Article Name
Microsoft Security Bulletins June 2016
Description
Microsoft Security Bulletins June 2016 provides you with an overview of all security bulletins and non-security updates released by Microsoft.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Gary D said on June 14, 2016 at 8:35 pm
    Reply

    Win 7 KB 2952664 ! MS is still trying to sneak in the Win 10 update enabler.

    It’s becoming a bit pathetic now isn’t it Martin? Have you heard what the latest Win 10 installed base is lately?
    MS has been very quiet with no bragging about numbers.

    1. Martin Brinkmann said on June 14, 2016 at 8:42 pm
      Reply

      No word. They will probably release new numbers when the Anniversary Update comes out.

      1. Gary D said on June 14, 2016 at 8:57 pm
        Reply

        OK Thanks

    2. Jeff-FL said on June 14, 2016 at 9:10 pm
      Reply

      It’s clear that they are going to shove 2664 and 5583 down our throats from now till at least July 29.

      I have mine set to reject all non-criticals. Hopefully they stop this aggression after July.

      1. Scott Elsdon said on June 14, 2016 at 11:12 pm
        Reply

        Just use Never 10, it sets policy to Microsoft’s own never get win10 updates.

      2. Jeff-FL said on June 15, 2016 at 1:49 pm
        Reply

        @Scott, yes, I use GWX Control Panel, and also disable “recommended” updates.

  2. CHEF-KOCH said on June 14, 2016 at 8:48 pm
    Reply

    I recommend to wait several days until someone reviewed it and people reporting it’s ‘good to install’. Since I’m LTSB N user I don’t have this problem. :P

    Thanks for the news anyway. :)

    1. Martin Brinkmann said on June 14, 2016 at 9:08 pm
      Reply

      Create a system backup at the very least.

  3. Anonymous said on June 15, 2016 at 10:55 am
    Reply

    Martin,
    There are some concerns with doing Wind 7 updates. After doing reinstall after windows update broke my system. I did BUY a new windows o/s and upgrade to Professional.
    Especially with windows updates (as of June 2016).

    I would advise if you have experience with your system to follow along and verify?

    The -Op Out- Options in Windows control systems are being ignored?

    GO TO: Control Panel\All Control Panel Items\Troubleshooting\Change settings

    After shutting it off?
    Computer Maintenance – OFF
    Other Settings – (x) Allow users to browse for trouble shooters available from Windows Online Troubleshooting service (x) Allow troubleshooting to begin immediately when started

    I really don’t need those checked? This is where the telemetry crap originates.
    Beginners should keep them checked.

    NOTE THERE IS A BLUE “READ THE PRIVACY STATEMENT ONLINE”

    Even though I opted out? The Task Manger proves otherwise?

    In my opinion there should be an Opt-Out Setting. Too late as Windows 10 takes away that right?

    GO TO: Control Panel\All Control Panel Items\Action Center\Change Action Center settings
    DON’T MEDDLE WITH THE CHECK MARKS. LEAVE THEM BE IF YOU WANT YOUR SYSTEM
    PROTECTED. But there is one glaring one that I wasn’t notified when I installed windows.
    Under related settings: See that blue “Customer Experience Improvement Program Settings”
    When you click that there is a prompt:
    Do you want to participate in the the Windows Customer Experience Improvement Program?
    I selected No. Because.

    After getting some lags at certain times. I did an AUDIT. And some of you better sit down.
    After several days. I decided to AUDIT the Task Scheduler under
    Control Panel\All Control Panel Items\Administrative Tools
    Select : Run as Admin for “Task Scheduler”

    JUST A WARNING FOR the paranoid. Do not change these settings unless you are experienced.
    And to protect your system. But this needs to be brought forth to the windows community.

    Despite the settings in Control Panel.

    There are some glaring entries:

    Customer Experience Improvement Program – Even though it’s set to never it connected at
    a pre determined time. Don’t delete them. But disable them?
    They (MS) needs to be audited and who knows if Windows update is enabling these
    behind our backs? Right? I shut it off at the control panel? What gives?

    Disk Diagnostic – Same here settings I didn’t authorize?
    The Windows Disk Diagnostic reports general disk and system information to Microsoft for users participating in the Customer Experience Program.
    Right click and disable it? Again don’t delete!

    \Microsoft\Windows\Customer Experience Improvement Program
    Titled: Consolidator “If the user has consented to participate in the Windows Customer Experience Improvement Program, this job collects and sends usage data to Microsoft.” and it starts %SystemRoot%\System32\wsqmcons.exe

    Again I opted out in Control Panel yet Task Manager proves otherwise?

    The USB CEIP (Customer Experience Improvement Program)
    “This task collects Universal Serial Bus related statistics and information about your machine and sends it to the Windows Device Connectivity engineering group at Microsoft. The information received is used to help improve the reliability, stability, and overall functionality of USB in Windows. If the user has not consented to participate in Windows CEIP, this task does not do anything.”

    Task manager ignored my initial settings?

    The most troubling one is Reliability Analysis Component (RAC)

    RAC the RAC Agent Scheduled Task – Reliability Analysis Component (RAC)
    This one I deleted because it kept being enabled and it locked up my system.
    Every time it was the only time.

    Those are the only settings that I have a concern with. I wouldn’t be concerned with the others, yet.

    Does Windows 10 have the ability manipulate the Task Manager?
    Maybe some of the nags could be shut off there?

    Thanks for listening.

    1. pHROZEN gHOST said on June 15, 2016 at 2:57 pm
      Reply

      There is nothing wrong with your computer. Do not attempt to adjust the settings. We are controlling everything. If we wish to make things faster, we will stop some useless tasks. If we wish to make it slower, we will start useless tasks and grind it nearly to a halt. We will control the RAM. We will control the CPU. We can control the screen, make it blank. We can change the focus to a soft blur or sharpen it to crystal clarity. From now on, sit quietly and we will control all that you see, hear and do. We repeat: there is nothing wrong with your computer. You are about to participate in a great adventure. You are about to experience the awe and mystery which reaches from the inner mind to – Microsoft Windows 10.

      1. T J said on June 15, 2016 at 4:24 pm
        Reply

        If you ignore our warning and continue to meddle with our software, you WILL be visited by the TERMINATOR.
        You will not like what he does to you !

  4. druthers said on June 16, 2016 at 11:09 pm
    Reply

    Problems reported with – MS16-072: Security update for Group Policy: June 14, 2016 >

    http://www.theregister.co.uk/2016/06/15/microsoft_fix_borks_group_policy/

    ” Admins in outcry as Microsoft fix borks Group Policy”

    ” Users on Reddit and Microsoft support forums are reporting that after the MS16-072 update was installed, changes were made in Group Policy object (GPO) settings that left previously hidden drives and devices accessible. … Other users report having printers and drive maps become inaccessible and security group settings no longer applying. … The users report that uninstalling the MS16-072 update from PCs and servers remedies the problem, though it is at the expense of leaving the underlying security vulnerability open. … El Reg has asked Microsoft for comment on the matter but has yet to hear back from Redmond at the time of publication. ”

    See: – “Known issues”: – https://support.microsoft.com/en-gb/kb/3163622

    1. Martin Brinkmann said on June 17, 2016 at 7:32 am
      Reply

      Thanks for the info!

  5. Harry Aiking said on June 17, 2016 at 3:54 pm
    Reply

    After the June 2016 patch day my Windows 7 Action Center erroneously reported that antivirus, spyware protection and firewall (Norton 360 premier) were turned off. A system restore removed these 3 flags. After today’s Windows Update they’re back again. Does anyone know which of the 19 updates may be the culprit?

    1. Wummel said on June 19, 2016 at 10:35 pm
      Reply

      @Harry Aiking,
      Your problem is prbly related to an unfortunately-timed (and apparently not-quite-ready-for-prime-time) Norton product update (22.7), initially released then pulled; for more info see…
      https://community.norton.com/en/forums/windows-shows-smart-firewall
      hth

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.