Microsoft Security Bulletins October 2016
Microsoft released updates for supported operating systems and other company products on today's patch day.
This guide provides you with information on the patches and related information. It covers all security and non-security updates that Microsoft released, plus additional information and links that may prove useful.
It begins with an executive summary highlighting the most important information about the October 2016 Patch day.
This is followed by the list of affected Windows client and server operating systems, and other Microsoft products. The severity and number of updates is listed for each product so that you can see on first glance how products that you use are affected.
What follows is the list of security bulletins, security advisories, and non-security updates that Microsoft released in October 2016.
The last part lists download options, and links to additional resources.
Microsoft Security Bulletins October 2016
Executive Summary
- Updates for Windows 7 and 8 are provided as monthly rollup patches instead of individual updates from this Patch day on. We covered this in detail, and suggest you check out this article for details.
- Microsoft released a total of 10 security bulletins on the October 2016 Patch Day.
- Five of the ten bulletins are rated with a maximum severity rating of critical (highest), the remaining five with a maximum severity rating of important (second highest).
- All Microsoft client and server operating systems are affected by vulnerabilities.
- Microsoft Silverlight, Microsoft .Net Framwork, Microsoft Office, and various business products are affected as well.
Operating System Distribution
All client versions of windows are affected by MS16-118, Ms16-120 and MS16-122 critically. Windows 8.1, RT 8.1 and Windows 10 are furthermore affected by MS16-127 critically. windows 10 on top of that is affected by MS16-119 critically.
Windows 10 is also affected by MS16-126, rated important, which fixes issues in the Microsoft Internet Messaging API.
MS16-119 is a cumulative security update for Microsoft Edge. MS16-127 updates the integrated Adobe Flash Player on those systems.
- Windows Vista: 3 critical, 2 important, 1 moderate
- Windows 7: 3 critical, 2 important, 1 moderate
- Windows 8.1: 4 critical, 2 important
- Windows RT 8.1: 4 critical, 2 important
- Windows 10: 5 critical, 3 important
- Windows Server 2008: 1 critical, 2 important, 1 moderate, 1 low
- Windows Server 2008 R2: 1 critical, 2 important, 1 moderate, 1 low
- Windows Server 2012 and 2012 R2: 1 critical, 2 important, 2 moderate
- Server core: 1 critical, 3 important
Other Microsoft Products
- Microsoft .NET Framework Security Only Release: 1 important.
- Microsoft .NET Framework -Monthly Rollup Release: 1 important.
- Skype for Business 2016: 1 important.
- Microsoft Lync 2010, 2013: 1 important.
- Microsoft Live Meeting 2007 Console: 1 important.
- Microsoft Silverlight: 1 important
- Microsoft Office 2007, 2010: 2 important
- Microsoft Office 2013, 2013 RT, 2016: 1 important
- Microsoft Office for Mac 2011, 2016: 1 important:
- Microsoft Word Viewer: 2 important
- Microsoft Office Compatibility Pack Service Pack 3: 2 important
- Microsoft SharePoint Server 2010, 2013: 1 important
- Microsoft Office Web Apps 2010, 2013: 1 important
Security Bulletins
Red = critical
MS16-118 -- Cumulative Security Update for Internet Explorer (3192887)
This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
MS16-119 -- Cumulative Security Update for Microsoft Edge (3192890)
This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge.
MS16-120 -- Security Update for Microsoft Graphics Component (3192884)
This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Skype for Business, Silverlight, and Microsoft Lync.
MS16-121 -- Security Update for Microsoft Office (3194063)
This security update resolves a vulnerability in Microsoft Office. An Office RTF remote code execution vulnerability exists in Microsoft Office software when the Office software fails to properly handle RTF files.
MS16-122 -- Security Update for Microsoft Video Control (3195360)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Microsoft Video Control fails to properly handle objects in memory.
MS16-123 -- Security Update for Windows Kernel-Mode Drivers (3192892)
This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.
MS16-124 -- Security Update for Windows Registry (3193227)
This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker can access sensitive registry information.
MS16-125 -- Security Update for Diagnostics Hub (3193229)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.
MS16-126 -- Security Update for Microsoft Internet Messaging API (3196067)
This security update resolves a vulnerability in Microsoft Windows. An information disclosure vulnerability exists when the Microsoft Internet Messaging API improperly handles objects in memory.
MS16-127 -- Security Update for Adobe Flash Player (3194343)
This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.
Security advisories and updates
Non-security related updates
KB3194798 -- Update for Windows 10 Version 1607 - The update includes quality improvements according to Microsoft.
- The history lists various fixes for issues, as well as security updates released today. See this page for details.
KB3192392 -- Security only update for Windows 8.1 and Windows Server 2012 R2
- Security updates to Microsoft Video Control, kernel-mode drivers, Microsoft Graphics Component, Windows registry, and Internet Explorer 11.
KB3185331 - Monthly Rollup for Windows 8.1 and Windows Server 2012 R2
- This security update includes improvements and fixes that were a part of update KB3185279 (released September 20, 2016) and also all security updates of KB3192392.
KB3192391 -- Security only update for Windows 7 SP1 and Windows Server 2008 R2 SP
- Security updates to Windows authentication methods, Internet Explorer 11, Microsoft Graphics component, Microsoft Video Control, kernel-mode drivers, Windows registry, and Microsoft Internet Messaging API.
KB3185330 -- Monthly Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1
- This security update includes improvements and fixes that were a part of update KB3185278 (released September 20, 2016), and also resolves the security updates listed under KB3192391
KB3191208 -- Update for Windows 10 Version 1511 -- Can't install Windows servicing updates in Windows 10 Version 1511
KB3197099 -- Dynamic Update for Windows 10 Version 1607 -- Compatibility update for upgrading to Windows 10 Version 1607: October 11, 2016
KB890830 -- Windows Malicious Software Removal Tool - October 2016
KB2952664 -- Update for Windows 7 -- Compatibility update for upgrading Windows 7. See this article for details.
KB2976978 -- Update for Windows 8.1 -- Compatibility update for Windows 8.1 and Windows 8. See this article for details.
KB3192665 -- Update for Internet Explorer -- ActiveX installation that uses AXIS fails after you install MS16-104.
KB3063109 -- Update for Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 7, and Windows Server 2008 R2 -- Hyper-V integration components update for Windows virtual machines that are running on a Windows 10-based host.
KB3177467 -- Update for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2 -- Servicing stack update for Windows 7 SP1 and Windows Server 2008 R2 SP1: September 20, 2016.
KB3179930 -- Reliability Rollup for Microsoft .NET Framework 4.5.2, 4.6 and 4.6.1 on Windows 7 and Windows Server 2008 R2.
KB3179949 -- Reliability Rollup for Microsoft .NET Framework 4.5.2 and 4.6 on Vista and Server 2008.
KB3181988 -- Update for Windows 7 and Windows Server 2008 R2 -- SFC integrity scan reports and fixes an error in the usbhub.sys.mui file in Windows 7 SP1 and Windows Server 2008 R2 SP1.
KB3182203 -- Update for Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows Embedded 8 Standard, Windows Server 2012, Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista, and Windows XP Embedded -- September 2016 time zone change for Novosibirsk.
KB3184143 -- Update for Windows 8.1 and Windows 7 -- Remove software related to the Windows 10 free upgrade offer.
KB3184951 -- Reliability Rollup for Microsoft .NET Framework 4.5.2 on Windows Server 2012.
KB3185278 -- Update for Windows 7 and Windows Server 2008 R2 -- September 2016 update rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1.
- Improved support for the Disk Cleanup tool to free up space by removing older Windows Updates after they are superseded by newer updates.
- Removed the Copy Protection option when ripping CDs in Windows Media Audio (WMA) format from Windows Media Player.
- Addressed issue that causes mmc.exe to consume 100% of the CPU on one processor after installing KB3125574.
- Addressed issue that causes the Generic Commands (GC) to fail upon attempting to install KB2919469 or KB2970228 on a device that already has KB3125574 installed.
- All reported changes here.
KB3185279 -- Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 -- September 2016 update rollup for Windows 8.1 and Windows Server 2012 R2.
- Addressed issue that causes some USB storage devices to lose authorization when the device goes into the lowest power state, requiring user to re-authenticate using PIN when the device moves back to a working power state.
- Addressed issue that causes Windows Explorer to become unresponsive when sharing a folder that is the child of at least two shared parent folders.
- Addressed issue that causes a COM port to become unavailable after it is repeatedly opened and closed.
- Addressed issue that causes devices to lose connection to their virtual private network (VPN) a few seconds after connecting, if the connection is made using an integrated mobile broadband connection.
- All reported changes here
KB3185280 -- Update for Windows Embedded 8 Standard and Windows Server 2012 -- September 2016 update rollup for Windows Server 2012.
KB3186208 -- Reliability Rollup for Microsoft .NET Framework 4.5.2 on Windows 8.1 and Windows Server 2012 R2.
KB3159635 -- Update for Windows 10 Version 1607 -- Windows 10 Update Assistant update.
How to download and install the October 2016 security updates
The monthly rollup patch is offered through Windows Update. It includes all non-security and security updates that Microsoft released this month.
- Tap on the Windows-key, type Windows Update, hit the Enter-key.
- Click on the check for updates link if that is not done automatically.
- Depending on your update policy, updates found are downloaded automatically, or need a manual trigger.
Updates are also provided via Microsoft's Download Center, monthly Security ISO image releases, and via Microsoft's Update Catalog.
Direct Microsoft Update Catalog download links:
- Windows 7 Security-only October 2016
- Windows 8.1 Security-only October 2016
- Windows 8.1 Flash security patch October 2016
Additional resources
- Microsoft Security Bulletin Summary for October 2016
- List of software updates for Microsoft products
- List of security advisories of 2016
- Microsoft Update Catalog site
- Our in-depth update guide for Windows
- Windows 10 Update History
- Windows 8.1 Update History
- Windows 7 Update History
We need your help
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
KB2952664 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
KB2976978 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
They just DO NOT give up trying to foist Win 10 on users.
Now all we need is KB3035583.
There was one 115mb security update, any way to unpack that update and then install those one by one?
Not aware of any option to do that. Maybe someone will come up with something but for now, does not look that way.
How can someone know what these patches do?
I look at Microsoft(TM) site and they list these KB…
I look at one of them, the info is a .csv
The .csv has nothing about what the patch does.
Well, M$ it is another point against you.
Cant understand the deference between ‘”Security Monthly Quality Rollup” and “Security Only Quality update”.
Monthly Rollup includes non-security and security patches. Security-only update only security updates. The former is provided via Windows Update, the latter not.
Martin:
So wait, the “Security Monthly Quality Rollup” also includes non-security updates?
Could Microsoft have made it any more confusing? Are they trying to hide telemetry crap in what is supposed to look like a security update?
BTW, according to https://support.microsoft.com/kb/3185330
everything in that rollup appears to be security related. Can you explain why you are reporting that it also contains non-security updates?
And what about KB3188740? Does it contain non-security updates?
There are two updates: Security-only, which supposedly contains only the security updates released for the month, and the Monthly Rollup, which contains security and non-security updates.
I think this is a naming issue. This appears to be the monthly rollup patch that includes security and non-security updates. No idea why Microsoft named it “security monthly quality rollup”. It does include non-security patches as mentioned in the second sentence.
.NET Framework updates are not included in the monthly rollup updates. They are provided separately.
October 2016 Patch Tuesday Win10 1607 now is OS Build 14393.321 downloaded and installed successfully for me. Entire process took 45 minutes to complete. Download slowed to a crawl at 84-95% so be patient about it! You might think it is stuck when in fact it taking it’s sweet time. All is stable and good now. Loving Win10 and all updates. SemperFedelis.
no claqueurs please.
“Loving Win10 and all updates.”
Good for you.
I don’t want to break your enthusiasm, Wayne, and if everything fits to your expectations than great. I only wish to mention the Stockholm syndrome which could explain the attitude of some Win10 lovers. Please don’t take it bad, nowadays this pathology is very well handled, there’s nothing to be ashamed of, but being aware as always will definitely accelerate the recovery. We’ll be here in case you need any help, don’t worry.
Thanks Martin, For again a well written and informed mount update overview!
I have updated main windows 7 system pro to the Windows 10 two mount ago!
This mount I am struggling with updating (to main new SSD) main Windows 10 x64 bit pro version (based PC AT/AT Compatible) from Version 10.0.10240 to the newer version Windows 10 Jubilee edition version 1607.
Main Intel SSDSC2bw240h6 (IDE) will not update and freezes the update around 25 %.
Do you have any suggestion what I can do?
Are you using Windows Update for that? Or how do you update the PC? Freezing issues seem to be quite common. Check the resource monitor or network monitor to see if traffic still comes from Microsoft.
@ Paulus ……. Maybe u should first upgrade from Win 10 RTM Build 10240 to Build 10586 or Version 1511, n then upgrade from Build 10586 to Build 14393 or Version 1607.
……. This 2-step upgrade will likely take a long time to complete bc each Build is a 3+GB download n install.
.
Or do a fresh-install of Win 10 Version 1607 via M$’s website, ie use the Win 10 Media Creation Tool.
.
SSD should be configured in the BIOS setting as SATA or AHCI, n not as IDE or PATA(= old technology).
Yes, indeed this cumulative October update went fast and smooth this time, compared with previous versions , a lot better, did not encounter any problems also, so far………..
Another restart tuesday…. joy
Nice if you can even download them, gave up after 4 hours.
Most of updates will be spy on the sheeple. The uninformed, so many now.
Win 7 64
Option 4: What just happened to Samsung I hope the same for Microsoft.
IOW, Micro$oft hv made Win 7/8.1 to be as bad as Win 10, likely in order to push Win 7/8.1 users onto Win 10, ie M$ r trying to make it not worthwhile for users to stay on Win 7/8.1 n not upgrade to Win 10.
.
Seems, this is M$’s revenge against Win 7/8.1 users for rejecting their 1-year free Win 10 upgrade n hiding their Win 10-style Telemetry updates.
……. Prior to April 2016, a freshly-installed Win 7 SP1 had no problems updating thru Windows Update. Since April 2016, M$ “force” freshly-installed Win 7 to hv to first manually install M$’s Telemetry updates(= KB3172605 n KB3020369) b4 Windows Update would work. This had also affected those Win 7/8.1 users who had hidden M$’s Telemetry updates.
…….In fact, Convenience Update Rollups for Win 7/8.1 had already begun in May 2016 but it was optional. KB3172605 is the July 2016 Update Rollup. This Oct 2016 Patch Rollup is compulsory, ie Win 7/8.1 users can’t pick-n-choose the installation of individual updates anymore.
.
Likely, M$ hv reintroduced KB2952664 n KB2976978 in anticipation of Win 7/8.1 users clamoring to upgrade to Win 10 bc M$ will be sending the Nov or Dec 2016 Patch Rollup to purposely bork Win 7/8.1 cptrs, like how M$ hv been ineptly borking n bricking Win 10 cptrs thru forced cumulative auto-updates.
Should I just download KB3192391 and the other updates, avoiding the two monthly rollups I got?
You can always download right from Microsoft’s Catalog, either with IE or if with another browser using the RSS workaround with the link as mentioned in the article :
http://catalog.update.microsoft.com/v7/site/Rss.aspx?q=KB3192391
Remember to choose x64 if applicable.
Download and wait before installing, read the articles and users’ feedback, take your time, give yourself at least a week.
Concerning Windows Update and downloading the full roll-up, do as you feel it but I won’t :
“The Windows 7 users who want to keep their systems fully updated will soon be unable to avoid installing KB2952664. Monthly update rollups include all the previous system updates, and by agreeing to install the rollup you also install the whole content of the update package. Now, if you want to keep KB2952664 away from your computer, the safest solution is to simply avoid monthly rollups via Windows Update and install only stand-alone update packages.”
SOURCE : http://windowsreport.com/windows-7-kb2952664/
Not even sure at this time if I can trust the security only update … wait and see. It’ll be like this once a month, Microsoft’s Pain Tuesday.
Andrej: It is confusing…See user Tudor’s link in the article about this on AskWoody. I downloaded and saved for Win 7 in Firefox, have not installed yet, waiting to see how it works out :) kb3192391 x64.msu. Have win update set to Never, if I do install it would do so offline.
Here with Windows 7 it’ll be, it’ll be only and it’ll be if within a week or so the patch will have proved to be clean :
KB3192391 — Security only update for Windows 7 SP1 and Windows Server 2008 R2 SP
via the RSS workaround in order to avoid using IE which is disabled here.
I dislike to feel in the obligation of having to adopt a radical approach but doing so prevented me from getting trapped by the Windows 10 upgrade swindle so I’ll carry on the precautions, not that I fear a GWX return but mainly for avoiding patches which would hide telemetry under questionable non-security fixes and even security only ones which is why i’ll wait a week or so before applying them.
As many I have not an ounce of confidence in Microsoft.
Hi Martin,
What about Windows Malicious Software Removal Tool is it included in “Security only Quality Update” or “Security Monthly Quality Rollup”.
And also what about optional patches.
Thanks,
Vijay
Malicious Software Removal Tool seems to be delivered independently. Good question about optional patches. I don’t know the answer to that, but I would guess that they are kept optional and are not included in the monthly rollup. Does anyone know more about that?
And if you avoid Windows Update you can always download this ‘ Windows Malicious Software Removal Tool’ right from https://www.microsoft.com/en-us/safety/pc-security/malware-removal.aspx
My Windows 7 64 Bits slow searching/finding updates was solved doing this:
Set Windows Update service as Manual and STOPPED it;
Installed KB3138612-x64;
Restarted;
Installed KB3020369-x64;
Restarted;
Installed KB3172605;
Restarted;
Started Windows Update service;
Searched for Updates and in 5 minutes found them!
@ Windows 7 ……. Fyi, KB3172605 is the optional Convenience Update Rollup for July 2016 for Win 7 cptrs. This Rollup is very similar to the now-non-optional KB3185330 Patch Rollup for Oct 2016 for Win 7 cptrs. It is very likely that these Rollups contain the Win 10-style Telemetry updates(= NSA spyware.?) that were first introduced by M$ for Win 7/8.1 cptrs at around Nov 2015.
At around April 2016, Windows Update stopped working for Win 7/8.1 users who had hidden M$’s Telemetry updates n also for freshly-installed Win 7/8.1 cptrs, ie the Telemetry updates(= eg the KB3172605 Update Rollup) hv to be first installed b4 WU would work.
…….Those Win 7/8.1 users who continued to hide M$’s Telemetry updates had to manually install security updates, one-by-one, via M$ Download Center or Update Catalog during the monthly Patch Tuesday. With non-optional Oct 2016 Patch Rollup, the affected Win 7/8.1 users can no longer manually install s.u. one-by-one = hv to forego all security updates.
This is so confusing, I really don’t want to download anything to avoid W10 bs as much as I can. “October 2016 security monthly quality rollup for Windows 7” and “MS16-120: Security and Quality Rollup for the .NET Framework 3.5.1 for Windows 7”. Both rollups contain security and also non-security updates? I wonder the risks if I stop completely downloading any updates from now on and eventually just switch to Linux.
PHUCK Microsoft, it is NOT going to mess up my Win7 /64 Professional Network. I do NOT want to be on its CLOUD ever…
It is my Network, my EULA my Property Not Yours.. You can keep 8.0, 8.1 & 10… You screwed up and then you want business to Trust you again?
Not trusting you ever. cutting my RECOMMENDATIONS of Windows UPDATE OFF, since the last time I even allowed a partial download with me “supposedly authorizing ” when. Everytime Now when I try to cut off my computer now it tries to Download those (3) October 16 D/L’s you stuck on my machine and by passed my permission. Even though they bypassed my option for giving them, permission
No, I do NOT want Adobe Flash on my machine!
Not doing it.. I am thru with you..
I just made a fresh install of W7 x64 using WSUS offline. Then I launched WU just to see what happens, not even any “rollup” offered. Thanks.
KB3172605 breaks IE 11.
Is there a way to pass thought this update? it breaks IE for some application that use SHA-1