Microsoft Security Bulletins September 2016
The following guide provides you with information about Microsoft's September 2016 Patch Day covering all security updates and non-security patches.
Microsoft publishes security patches on the second Tuesday of each month that fix security issues in Microsoft Windows and other company products. This month, the updates were released on September 13, 2016.
The overview starts with an executive summary that provides you with the most important bits of information.
What follows is the operating system and other Microsoft product distribution listing. It lists all versions of Windows, and how each is affected this month by the released security updates.
We list all security bulletins, security advisories and non-security patches that Microsoft released afterwards. Each links to the patch's KB article on the Microsoft website for quick access to Microsoft information on it.
The last part lists download options and links to additional resources that you may find useful.
Microsoft Security Bulletins September 2016
Executive Summary
- Microsoft released a total of 14 security bulletins in September 2016.
- 7 of the bulletins are rated with the highest severity rating critical, the remaining 7 bulletins with the second highest rating important.
- Affected products include all versions of Microsoft Windows that are supported by Microsoft, as well as Microsoft Office, Microsoft Exchange Server, and Internet Explorer / Edge.
Operating System Distribution
All client versions of Windows are affected by the critically rated bulletin MS16-104 and MS16-116 (Internet Explorer vulnerability), while Windows 10 is also affected by MS16-105 which addresses vulnerabilities in Microsoft Edge.
Windows 10 is also the only operating system that is critically affected by MS16-106. Last but not least, only Windows 8.1 and newer versions of Windows are affected by the critically rated bulletin Ms16-117 (security update for built-in Adobe Flash Player).
- Windows Vista: 2 critical, 4 important
- Windows 7: 2 critical, 4 important
- Windows 8.1: 3 critical, 6 important
- Windows RT 8.1: 3 critical, 6 important
- Windows 10: 5 critical, 6 important
- Windows Server 2008: 4 important, 2 moderate
- Windows Server 2008 R2: 4 important, 2 moderate
- Windows Server 2012 and 2012 R2: 6 important, 3 moderate
- Server core: 5 important, 1 moderate
Other Microsoft Products
- Microsoft Office 2007, 2010: 1 critical
- Microsoft Office 2013, 2013 RT, 2016: 1 critical
- Microsoft Office for Mac 2011, 2016: 1 critical
- Microsoft Word Viewer: 1 critical
- Microsoft PowerPoint Viewer: 1 critical
- Microsoft Excel Viewer: 1 critical
- Microsoft Office Compatibility Pack Service Pack 3: 1 critical
- Microsoft SharePoint Server 2007, 2010, 2013: 1 critical
- Microsoft Office Web Apps 2010: 1 critical
- Microsoft Office Web Apps 2013: 1 critical, 1 important
- Microsoft Exchange Server 2007, 2010, 2013, 2016: 1 important
- Microsoft Silverlight: 1 important
Security Bulletins
Red = critical
MS16-104 - Cumulative Security Update for Internet Explorer (3183038)
This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
MS16-105 - Cumulative Security Update for Microsoft Edge (3183043)
This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge.
MS16-106 - Security Update for Microsoft Graphics Component (3185848)
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document.
MS16-107 - Security Update for Microsoft Office (3185852)
This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file.
MS16-108 - Security Update for Microsoft Exchange Server (3185883)
This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow remote code execution in some Oracle Outside In libraries that are built into Exchange Server if an attacker sends an email with a specially crafted attachment to a vulnerable Exchange server.
MS16-109 - Security Update for Silverlight (3182373)
This security update resolves a vulnerability in Microsoft Silverlight. The vulnerability could allow remote code execution if a user visits a compromised website that contains a specially crafted Silverlight application.
MS16-110 - Security Update for Windows (3178467)
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker creates a specially crafted request and executes arbitrary code with elevated permissions on a target system.
MS16-111 - Security Update for Windows Kernel (3186973)
This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application on a target system.
MS16-112 - Security Update for Windows Lock Screen (3178469)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if Windows improperly allows web content to load from the Windows lock screen.
MS16-113 - Security Update for Windows Secure Kernel Mode (3185876)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure when Windows Secure Kernel Mode improperly handles objects in memory.
MS16-114 - Security Update for SMBv1 Server (3185879)
This security update resolves a vulnerability in Microsoft Windows. On Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 operating systems, the vulnerability could allow remote code execution if an authenticated attacker sends specially crafted packets to an affected Microsoft Server Message Block 1.0 (SMBv1) Server.
MS16-115 - Security Update for Microsoft Windows PDF Library (3188733)
This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow information disclosure if a user views specially crafted PDF content online or opens a specially crafted PDF document.
MS16-116 - Security Update in OLE Automation for VBScript Scripting Engine (3188724)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker successfully convinces a user of an affected system to visit a malicious or compromised website. Note that you must install two updates to be protected from the vulnerability discussed in this bulletin: The update in this bulletin, MS16-116, and the update in MS16-104.
MS16-117 - Security Update for Adobe Flash Player (3188128)
This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.
Security advisories and updates
Microsoft Security Advisory 3181759 - Vulnerabilities in ASP.NET Core View Components Could Allow Elevation of Privilege
Microsoft Security Advisory 3174644 - Updated Support for Diffie-Hellman Key Exchange
Non-security related updates
KB3185662 - Update for Windows Vista - Windows Journal update for Windows Vista SP2.
KB3189031 - Update for Adobe Flash Player for Windows 10 Version 1607
KB3189866 - Cumulative Update Patch for Windows 10 Version 1607 September 13, 2016.
KB3176939 - Cumulative Update Patch for Windows 10 Version 1607 August 31, 2016.
KB3176934 - Cumulative Update Patch for Windows 10 Version 1607 August 23, 2016.
KB3187022 - Update for Windows Server 2008 and Windows Vista - Print functionality is broken after any of the MS16-098 security updates are installed.
KB3187022 - Update for Windows 8.1, Windows Server 2012 R2, Windows Embedded 8 Standard, Windows Server 2012, Windows 7, and Windows Server 2008 R2 - Print functionality is broken after any of the MS16-098 security updates are installed.
KB2922223 - Update for Windows Embedded 8 Standard - You cannot change system time if RealTimeIsUniversal registry entry is enabled in Windows
KB3177723 - Update for Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows Embedded 8 Standard, Windows Server 2012, Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista, and Windows XP Embedded - 2016 — Egypt cancels DST
KB3179573 - Update for Windows 7 and Windows Server 2008 R2 - August 2016 update rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1. List of changes available here.
KB3179574 - Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 - August 2016 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2. List of changes available here.
KB3179575 - Update for Windows Embedded 8 Standard and Windows Server 2012 - August 2016 update rollup for Windows Server 2012. List of changes available here.
How to download and install the September 2016 security updates
Windows Update is the primary method of patch distributing for Home computer systems running Windows.
The service is configured to check for updates regularly, and download and install important updates automatically. This includes all security updates for the operating system, and maybe also other patches that Microsoft considers important enough.
Windows Update does not perform real-time checks for updates. You may want to run a manual update check if you want the patches to be downloaded as quickly as possible.
We suggest you back up your system prior to installing patches so that you can restore it should one or multiple patches cause issues on the system after installation.
You can run a manual update check in the following way:
- Tap on the Windows-key on the keyboard, type Windows Update and hit the Enter-key to open the application.
- Windows may run an update check automatically right away. If that is not the case, click on "check for updates" on the page to run a manual check for updates.
You may want to research all updates before you install them on your system.
Updates are also provided via Microsoft's Download Center, monthly Security ISO image releases, and via Microsoft's Update Catalog.
Additional resources
- Microsoft Security Bulletin Summary for September 2016
- List of software updates for Microsoft products
- List of security advisories of 2016
- Our in-depth update guide for Windows
- Windows 10 Update History
Thanks for your article about September Patch Tuesday 2016. All updates installed sucessfully for me Win 10 1607, now build 14393.187. This update took 30 minutes to download and install which seems longer than previous updates. All is stable though with my reliability monitor at “10”.
Martin,
The link to “Updated Support for Diffie-Hellman Key Exchange 3174644” is not working
The message on the MS TechNet site reads “The URL may be misspelled or the page you’re looking for is no longer available.”
OOPS, nearly forgot to say thanks for your usual comprehensive synopsis. :)
Microsoft has not published it yet, nothing I can do about it ;(
its missing a / in the URL, it should be:
https://technet.microsoft.com/en-us/library/security/3174644.aspx
not
https://technet.microsoft.com/en-us/library/security3174644.aspx
Flash 23 launched in the update!
Thanks again, Martin, For you extensive article.
Has any readers had issues with Devcies repeatedly rebooting after installing updates from September?
I have had several Dell tablets running W10 Pro and several HP laptops running W7 Enterprise have this issue after installing these updates.
They boot, Windows loads, can log in for 2 – 5 minutes then reboot.
If I remove Sept updates issue goes away.
Not been able to determine which update is causing issue yet.
I have done a Google search but not seeing any other reports.
Thanks for any feedback and thanks to Martin for keeping us up to date.
Thank you the well documented article as always Martin
Under W7x64, installing only 4 security patches, no problemo.
The latest update by Windows Update for my part.
Can windows 8.1 load web content from lock screen? I thought that only applied to Windows 10.
If it can’t why is 8.1 included in the security patch for that vulnerability? https://support.microsoft.com/en-us/kb/3178539
I think I’m going to skip that update since it may introduce a vulnerability which doesn’t exist yet.
That’s a really dumb idea. I blocked Windows Update in 8.1 because there are now about 500 of them and they are so buggy they kept bricking my computers. So, no thank you MickeyMouseSoft. :( I’d rather be part of a botnet than have my computers crashing every other day. :(
Winaero Tweaker has a setting to disable Windows Update service.
When you reset Windows back to factory settings there is an option to not set up Windows Update. But it is buggy. Winaero Tweaker disables it and it stays that way.
I got the update la night and it wiped my desktop icons and deleted all my favorites in the Edge browser
Same here, wiped my Favorites will all important saves. Piece of crap coders. Also took 1.5 hours total to update b4 could turn laptop off!
I have been trying for 3 months to update windows vista .. no joy yet
3 Win7 Pro machines, I hate to be “Critical” but unless things change, this will be my last Windows Update, ever.
Ian Wood go to http://wu.krelay.de/en/
This updates wiped all my game mods which was over 300 gigs which im on a 300 gig a month bandwidth, can not playa ny game for am onth now. And it deleted al my family photos ones that wer epriceless and am unable to get back now. Also deleted some home videos and some TV shows i was watchign along with ALL my music which was years and years of accumulated music i liked. THIS UPDATE FUCKED ME BADLY MICROSOFT ARE FUCKING RETARDS.
I restored my windows 10 back to an earlier date and everything came back. That is after a Windows tech spent 2 hours on a remote assistance session and he could do nothing to fix it. I asked him about this option and he would not confirm it would work. I guess they don’t want to admit the update is the cause of the problem.
Finally got to boot my CPU by pressing F8 repeatedly while it was trying to boot, and was able to select the right boot drive.I tried restoring my computer, but it couldn’t complete the restoration because it couldn’t boot. Now I’m backing up all my files and hopefully I’ll be able to find a solution. Waited all day for level 2 tech support to call me back, but still no call. They said this last update created known issues like not being able to boot from the drive. I also noticed the stupid update actually changed my boot preferences in the setup menu. Im using Windows 7. anyone know how to fix this yet? Thanks microsoft!
I had so many issue with the UPDATE like everybody else on here! What hell is going on??
Lost priceless information!
Funny. I asked the tech if they were getting many calls about update problems and he said I was the only one.
Printer won’t scan now, everything is messed up. It even removed my wallpaper photo!
Use the restore https://www.youtube.com/watch?v=jGN_nvHb9-M.
Thanks for youtube reference; this in turn points to many other Acer useful videos for windows 10, although they are sometimes more complicated procedures than the simple Windows 10 click process that accomplishes the same result.
Windows 10, for some reason, hides the restore feature. It was easy to find n Windows 7.
Similar issues: desktop wiped clean after updating Windows 7 Sept 2016, except for start button and recycle bin. Had to do restore, stop auto updates. Now won’t complete checking for new updates.
After the September 13, 2016 update, my quickbooks 2011 will not install, all of my programs not say that they were installed on September 13, 2016, and Internet Explorer is useless. Tries restoring to a previous point before the update but QUICKBOOKS 2011 still will not work. Called quickbooks 2011 and of course, they said that my version is not compatible with windows 10. I said, funny, I have been using it for a year on my windows 10 pc. It was this update. Can any one help? I already uninstalled and reinstalled it. It work a couple of times and then back to shutting down when I open a company.
I’m having the same problem with quickbooks 2011 after my windows 10 updated yesterday.
I’m having t he same problem with Quick Books Simple Start 2008. Its worked great for years and now it wont install it just try’s for a second and the disappears.
Also, my brothers machine would not boot up after the update it would just sit and spin with with black screen.
I was having the same issue. I thought I picked up a virus…did all my additional security software stuff that identifies more than my regular active one. None of them found anything so I knew it had to be microsoft. I use to struggle with my XP when I got updates it would wipe out a lot of my data or do the sit and spin and not get past the dreaded backscreen. I wish microsoft would not send this crap w/o making sure it won’t do harm.
Windows 10 update deleted ALL FILES in C:documents folder ……
Also ….. am now unable to print/email to pdf from Quickbooks as it corrupted the XPS print/driver I had installed to make this happen .
Also ….. Reinstalled it’s own writer – which I had deleted.
Also ….. Will not allow me to add another XPS print/driver which I had previously been able to to as apparently it still exists but does not show in devices and printers.
VERY UNHAPPY
Windows 10 update deleted ALL FILES in C:documents folder ……
Also ….. am now unable to print/email to pdf from Quickbooks as it corrupted the XPS print/driver I had installed to make this happen .
Also ….. Reinstalled it’s own writer – which I had deleted.
Also ….. Will not allow me to add another XPS print/driver which I had previously been able to to as apparently it still exists but does not show in devices and printers.
VERY UNHAPPY
Sept 25, 2016
Win 10 updates KB3193494, KB3176935 and KB3176937 automatically installed on my laptop yesterday with several reboots. After the last reboot I received the blue screen with the “stop code: DPC watchdog violation.” I am able to start in safe mode and have tried removing the last update, as well as all 3 updates, however the auto updater replaces one or all of them. Each restart results in a blue screen unless I press F8 upon startup, which sometimes allows me into the blue screen menu where I can select a restart with safe mode options. I have no restore points to which I can go back. I have an external hard drive with all the laptop’s files with Win 7 from before my conversion to Win 10, but no image file. Not sure how to proceed, so I’m biding my time before reinstalling Win 7 from CDs. I was happy with Win 10 until now. Any suggestions?