Microsoft Security Bulletins July 2016
Welcome to the Microsoft Security Bulletins overview for July 2016. The overview covers July's Patch Day, and all patches released by Microsoft on July 12, 2016 for Windows and other company products.
It starts with an executive summary that reveals important information about this month's security patches. It is followed by the operating system and Microsoft product distribution listing, revealing how specific Microsoft products are affected this month.
This is followed by the list of security bulletins released by Microsoft in July 2016, and the list of security advisories, updates, and non-security updates released since the June 2016 patch day.
The final part of the overview provides you with download information and links to additional resources.
Microsoft Security Bulletins July 2016
Executive Summary
- Microsoft released 11 bulletins on the July 2016 Patch Day.
- 6 bulletins are rated with a severity ranking of critical, the remaining 5 bulletins with a severity ranking of important.
- All client and server versions of Microsoft Windows are affected by security issues that the released patches resolve.
- Other affected Microsoft products include
Operating System Distribution
All client and server Windows operating systems are affected by at least one critical security vulnerability. In fact, all are affected by MS16-087, a vulnerability in Windows Print Spooler Components in a critical way.
Vista is the only client system affected by MS16-086, a cumulative security update for JScript and VBScript, and Windows Server 2008 the only server system affected by it but only with a moderate severity rating.
Windows 10 is the only client system affected by MS16-085, a cumulative security update for Microsoft Edge.
Windows 8.1 and newer systems are affected by MS16-093, another critically rated bulletin affecting Adobe Flash Player contained within IE10 and newer.
Last but not least, they receive updates described in MS16-092 and MS16-094. The updates fix secure boot and kernel security issues.
- Windows Vista: 3 critical, 2 important:
- Windows 7: 2 critical, 2 important
- Windows 8.1: 3 critical, 4 important
- Windows RT 8.1: 3 critical, 4 important
- Windows 10: 4 critical, 4 important
- Windows Server 2008: 1 critical, 2 important, 2 moderate
- Windows Server 2008 R2: 1 critical, 2 important, 1 moderate
- Windows Server 2012 and 2012 R2: 1 critical, 4 important, 2 moderate
- Server core: 1 critical, 4 important, 1 moderate
Other Microsoft Products
- Microsoft Office 2007, 2010, 2013, 2013 RT, 2016: 1 critical
- Microsoft Office for Mac 2011, 2016: 1 critical
- Microsoft Office Compatibility Pack Service Pack 3: 1 important
- Microsoft Excel Viewer: 1 important
- Microsoft Word Viewer: 1 important
- Microsoft SharePoint Server 2010, 2013, 2016: 1 important
- Microsoft Office Web Apps 2010, 2013: 1 important
- Office Online Server: 1 important
Security Bulletins
Cumulative Security Update for Internet Explorer (3169991) - Critical - Remote Code Execution
This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
Cumulative Security Update for Microsoft Edge (3169999) - Critical - Remote Code Execution
This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge.
Cumulative Security Update for JScript and VBScript (3169996) - Critical - Remote Code Execution
This security update resolves a vulnerability in the JScript and VBScript scripting engines in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
Security Update for Windows Print Spooler Components (3170005) - Critical - Remote Code Execution
This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if an attacker is able to execute a man-in-the-middle (MiTM) attack on a workstation or print server, or set up a rogue print server on a target network.
Security Update for Microsoft Office (3170008) - Critical - Remote Code Execution
This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user.
Security Update for Windows Secure Kernel Mode (3170050) - Important - Information Disclosure
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure when Windows Secure Kernel Mode improperly handles objects in memory.
Security Update for Windows Kernel-Mode Drivers (3171481) - Important - Elevation of Privilege
This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.
Security Update for .NET Framework (3170048) - Important - Information Disclosure
This security update resolves a vulnerability in Microsoft .NET Framework. The vulnerability could cause information disclosure if an attacker uploads a specially crafted XML file to a web-based application.
Security Update for Windows Kernel (3171910) - Important - Security Feature Bypass
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow security feature bypass if the Windows kernel fails to determine how a low integrity application can use certain object manager features.
Security Update for Adobe Flash Player (3174060) - Critical - Remote Code Execution
This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows RT 8.1, Windows Server 2012 R2, and Windows 10.
Security Update for Secure Boot (3177404) - Important - Security Feature Bypass
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow Secure Boot security features to be bypassed if an attacker installs an affected policy on a target device. An attacker must have either administrative privileges or physical access to install a policy and bypass Secure Boot.
Security advisories and updates
MS16-083: Security Update for Adobe Flash Player for Windows 10, Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows Embedded 8 Standard, and Windows Server 2012 (KB3167685)
Non-security related updates
KB2952664: Update for Windows 7 - Compatibility update for upgrading Windows 7.
KB2976978: Update for Windows 8.1 and Windows 8 - Compatibility update for Windows 8.1 and Windows 8.
KB2977759: Update for Windows 7 - Compatibility update for Windows 7 RTM.
KB3170735: Update for Windows 8.1 and Windows 7 - July 2016 Update for Windows Journal.
KB3163589: Update for Windows 8 and Windows 7 - "Your PC is running an outdated version of Windows" notification.
KB3173040: Update for Windows 8.1 and Windows 7 - Windows 8.1 and Windows 7 SP1 end of free upgrade offer notification.
KB3161606: Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 - June 2016 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2
Issues that the update fixes:
- KB3163232 Application crashes when you open an earlier version of an Office file in Windows 8.1 or Windows Server 2012 R2
- KB3163974 "Sign in to your Microsoft account" wizard page has only one text box in Windows 8.1 or Windows Server 2012 R2
- KB3142535 Hard I/O failure with MPIO storage targets connected to Windows Server 2012 R2
- KB3153887 Fine tuning failover cluster network thresholds in Windows Server 2012 R2
- KB3163306 AD FS 3.0 can't connect to native LDAP attribute stores over SSL in Windows Server 2012 R2
- KB3163192 NFS role takes a long time or fails to come online on a Windows Server 2012 R2 cluster
- KB3164088 Memory leak occurs when system calls a certain function to store and look for GUID records in Windows Server 2012 R2
- KB3164345 Stop error occurs when you recover a computer from sleep or restart it in Windows 8.1 or Windows RT 8.1
- KB3135021 File server becomes unresponsive when data deduplication is running in Windows Server 2012 R2
- KB3159393 Memory Leak in IIS ADSI provider in Windows 8.1 or Windows Server 2012 R2
- KB3159985 Crash dump file isn't generated in Windows Server 2012 R2
- KB3162159 Kerberos authentication policy causes requests to fail with a status of KDC_ERR_POLICY in Windows Server 2012 R2
- KB3162871 RD Gateway Manager console crashes with the latest .NET Framework 4.6.1 update on Windows Server 2012 R2
- KB3163023 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: June 2016
- KB3161579 "Access Denied" error when you run mpclaim.exe command to retrieve MPIO configuration reports in Windows Server 2012 R2
- KB3154769 "Error Cannot Process TPM Attestation" when you try to configure Key Attestation in Windows Server 2012 R2
- KB3163191 Group policies aren't applied during startup and logon in Windows
- KB3154437 Update to remove VPNIKE hardcoded dependency in Windows Server 2012 R2
- KB3153727 Windows Installer with certain actions can't be installed on Windows Server 2012 R2 or Windows Server 2008 R2 SP1
- KB3161639 Update to add new cipher suites to Internet Explorer and Microsoft Edge in Windows
- KB3158626 "0xD1" Stop error when a virtual machine crashes on a Windows Server 2012 R2 or Windows Server 2012 Hyper-V host
- KB3154228 32-bit icons can't be loaded in OleLoadPictureEx in Windows
KB3161608: Update for Windows 7 and Windows Server 2008 R2 - June 2016 update rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1
Issues that the update fixes:
- KB3154228 32-bit icons can't be loaded in OleLoadPictureEx in Windows
- KB3153727 Windows Installer with certain actions can't be installed on Windows Server 2012 R2 or Windows Server 2008 R2 SP1
- KB3161647 Windows Update Client for Windows 7 and Windows Server 2008 R2: June 2016
- KB3161897 WDS deployment fails when UEFI clients are in routed environments in Windows Server 2008 R2 SP1
- KB3161639 Update to add new cipher suites to Internet Explorer and Microsoft Edge in Windows
- KB3163644 Microsoft Office 2010 doesn't start when EMET is enabled in Windows 7 or Windows Server 2008 R2
KB3161609: Update for Windows Embedded 8 Standard and Windows Server 2012 - June 2016 update rollup for Windows Server 2012
Issues that the update fixes:
- KB3158626 "0xD1" Stop error when a virtual machine crashes on a Windows Server 2012 R2 or Windows Server 2012 Hyper-V host
- KB3154228 32-bit icons can't be loaded in OleLoadPictureEx in Windows
How to download and install the July 2016 security updates
All security updates are already available on Windows Update. Windows Update is the built-in update service of Windows devices, and configured by default to download critical patches automatically.
The service does not check for updates in real-time. If you want to speed up the process, do the following:
- Tap on the Windows-key on the computer keyboard, type Windows Update, and select the result from the list.
- Select the "check for updates" button to run a manual check for updates.
Windows checks for available updates. What happens next depends on how updating is configured on the device. Updates may be downloaded and installed automatically, or you may be notified about them only.
The latter gives you greater control over the updating process.
We recommend highly that you research updates released for Windows before you install them on your machines. Updates may break systems, and have done so in the past. At the very least, create a system backup before you install the updates.
Some updates are available on Microsoft's Download Center, as Security ISO images, and via Microsoft's Update Catalog.
Additional resources
- Microsoft Security Bulletin Summary for July 2016
- List of software updates for Microsoft products
- List of security advisories of 2016
- Our in-depth update guide for Windows
- Windows 10 Update History
Thanks for the updates.
Guys, is there any up-to-date list of all updates that are bringing telemetry and gwx.exe to Windows 7? I tired to locate such but with no luck – in terms of constantly updating on what are bringing new patches.
These are all that are still sent afaik. As seen on Windows 7 Ultimate x64
imgur com/f2FeWCg
I have a longer list from someone, but they’re just not sent anymore.
Had to download the windows x64 cummulative update manually and install…. it was stalled with auto update :|
Things seem to be ok tho – the rest of the auto update went fine
That happened to me too, on one of my computers… On my 2 laptops everything worked fine, but I had to download and install the cumulative update manually on my desktop…
Are you sure it stalled? How much time you gave it? Some times ( especially when Windows 8 and then 10 came out ) I had to let it about 30 minutes in order to get “unstuck”. It seemed like it stalled, but you’ve to give it time. My PC and connection weren’t the problem -both relatively fast and I’ve no HDDs, only 2 Samsung 850 SSDs.
However this particular update went extremely fast. No problems have been detected. After the reboot, went to piss and when I came back it was already at the desktop.
I gave it a full hour where it stalled at 86% and was downloading about 1% every 20 minutes.
Sorry for the slight offtopic – but is there a way to actually disable automatic updates in Windows 10 Education?
Seriously, I’m tired of it.
The most I’d be willing to tolerate is notifications that new updates are available (and I don’t even necessarily want those).
But you know, actually being able to choose what I want to install and not being nagged to restart for eternity would be nice, definitely.
I’ve disabled Windows Update on my PCs till now and just took time once a month to review and install them so they never got in my way.
This month’s Security Bulletins reminded me of what I dislike about the Windows 10 Update Client. It’s so utterly opaque for the end user. It took a while to download the updates and then the whole install and reboot made it about an hour. Upon starting up, I was informed that an update had failed to install. No mention of which one or why it failed. So I manually checked for updates and it failed because “something” was wrong. The update troubleshooter fixed the something (again not telling me exactly what was fixed. And another check found nothing needing to be updated. So the update actually succeeded but was reported as a fail because of some corruption in the process.
Since Microsoft is now doing ‘Monthly Update Rollups’ along with the updates, are they safe to install as the full bundle? Specifically: KB3161608- Update for Windows 7 and Windows Server 2008 R2 – June 2016 update rollup.
I see the contents but I’m curious if we should simply accept the full rollup or look for the specific items inside that we think we can use and go get them separately?
Re: KB3161608
This update should fix the multi-hour long scan times for Windows Update that many users have been experiencing over the past few months, myself included. I have my fingers crossed that it’s effective.
The downside is primarily in the added cipher suites that are likely to break secure network applications all over the place, mostly in the enterprise sector. Fortunately there are some workarounds:
http://answers.microsoft.com/en-us/windows/forum/windows_7-networking/problems-with-kb-3161608-and-kb-3161639/2cd5ffb3-c203-4080-872f-73de1a96e080?page=1
For regular users the biggest drawback of KB3161608 is that it breaks Bluetooth functions, particularly Intel’s Bluetooth devices but others may be affected as well:
https://communities.intel.com/thread/104414
Thanks Beemeup4, There are parts of the rollup I want, but others, not so much. I’ve been reading in a lot of places that Microsoft dropped the ball big time on this one so i wanted to hear other’s comments before I did anything. I have been plagued by long WU scans as well, some lasting a whole day. Fixing that would be the objective but breaking other stuff seems to be the side effect. I am presuming that the monthly rollups should now been watched with caution and hesitancy as well.
Martin – my Windows Update has stopped working since October 2015, I really do not know the reason why. Is there a cumulative download available, using which I can bring Windows 10 up-to-date with the current patches? Thank you.
What happens when you check for updates? You could try a third-party download program such as http://www.wsusoffline.net/