Microsoft Security Bulletins April 2016

The Microsoft Security Bulletins overview for April 2016 provides you with detailed information about all security and non-security patches Microsoft released in the past 30 days for client and server versions of Windows, as well as other Microsoft products such as Office.

The overview begins with an executive summary highlighting the most important information about this month's Patch Day.

It is followed by patch information for individual client and server operating systems, and other Microsoft products.

What follows is the list of released security bulletins for April 2016, security advisories, and the list of non-security updates released in the past 30 days.

This is followed by download instructions and links to resources that provide you with additional information.

Microsoft Security Bulletins For April 2016

Executive Summary

• Microsoft released a total of 13 bulletins in April 2016.
• Six security bulletins received the highest rating of critical, the remaining seven one of important, the second highest rating.
• All client and server versions of Windows are affected by vulnerabilities described in one or multiple critically rated bulletins.
• Other affected Microsoft products include Microsoft Office and Microsoft SharePoint Server,

Operating System Distribution

All client-based versions of Windows are affected by vulnerabilities fixed by the bulletins MS16-037, MS16-039 and MS16-040 while Windows 10 is also affected by vulnerabilities fixed by MS16-038.

The reason for the additional bulletin is as usual Microsoft Edge which is exclusively available on Windows 10.

MS16-037 is a cumulative update for Internet Explorer, Ms16-039 a security update for the Microsoft Graphics Component, and MS16-040 a security update for Microsoft XML Core Services.

As far as important vulnerabilities are concerned, all client versions are affected by vulnerabilities described in Ms16-047 (Security Update for SAM and LSAD Remote Protocols). Windows 8.1, RT 8.1 and 10 are affected by MS16-048 (security issue in CSRSS), Windows 8.1 and 10 by MS16-045 (security issue in Windows Hyper-V), and Windows 10 by MS16-046 (security issue in Secondary logon).

• Windows Vista: 3 critical, 1 important
• Windows 7: 3 critical, 1 important
• Windows 8.1: 3 critical, 3 important
• Windows RT 8.1: 3 critical, 2 important
• Windows 10: 4 critical, 4 important
• Windows Server 2008: 3 critical, 1 important
• Windows Server 2008 R2: 2 critical, 4 important, 1 moderate
• Windows Server 2012 and 2012 R2: 2 critical, 1 moderate
• Server core: 2 critical, 3 important

Other Microsoft Products

Patches for the following non-Windows Microsoft products were released this month:

• Microsoft Office 2007, 2010: 1 critical, 1 important
• Microsoft Office 2013, 2013 RT: 1 critical
• Microsoft Office 2016: 1 important
• Microsoft Office for Mac 2011, 2016: 1 important
• Microsoft Office Compatibility Pack SP3, Excel Viewer, Word Viewer: 1 critical, 1 important
• Microsoft SharePoint Server 2007: 1 important
• Microsoft SharePoint Server 2010, 2013: 1 critical
• Microsoft Office Web Apps 2010, 2013: 1 critical
• Skype for Business 2016: 1 critical
• Microsoft Lync 2010, 2013: 1 critical
• Microsoft Live Meeting 2007 Console: 1 critical

Security Bulletins

MS16-037 - Cumulative Security Update for Internet Explorer (3148531) - Critical
Remote Code Execution

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

MS16-038 - Cumulative Security Update for Microsoft Edge (3148532) - Critical - Remote Code Execution

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge.

MS16-039 - Security Update for Microsoft Graphics Component (3148522) - Critical - Remote Code Execution

This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Skype for Business, and Microsoft Lync. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts.

MS16-040 - Security Update for Microsoft XML Core Services (3148541) - Critical - Remote Code Execution

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user clicks a specially crafted link that could allow an attacker to run malicious code remotely to take control of the user’s system.

MS16-041 - Security Update for .NET Framework (3148789) - Important - Remote Code Execution

This security update resolves a vulnerability in Microsoft .NET Framework.  The vulnerability could allow remote code execution if an attacker with access to the local system executes a malicious application.

MS16-042 - Security Update for Microsoft Office (3148775)  - Critical - Remote Code Execution

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file.

MS16-044 - Security Update for Windows OLE (3146706)  - Important - Remote Code Execution

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Windows OLE fails to properly validate user input.

MS16-045 - Security Update for Windows Hyper-V (3143118) - Important - Remote Code Execution

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an authenticated attacker on a guest operating system runs a specially crafted application that causes the Hyper-V host operating system to execute arbitrary code.

MS16-046 - Security Update for Secondary Logon (3148538) - Important - Elevation of Privilege

This security update resolves a vulnerability in Microsoft Windows.

MS16-047 - Security Update for SAM and LSAD Remote Protocols (3148527) - Important - Elevation of Privilege

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack.

MS16-048 - Security Update for CSRSS (3148528) - Important - Security Feature Bypass

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker logs on to a target system and runs a specially crafted application.

MS16-049 - Security Update for HTTP.sys (3148795) - Important - Denial of Service

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker sends a specially crafted HTTP packet to a target system.

MS16-050  - Security Update for Adobe Flash Player (3154132) - Critical - Remote Code Execution

This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

Security advisories and updates

Microsoft Security Advisory 3152550 - Update to Improve Wireless Mouse Input Filtering

Microsoft is announcing the availability of an update to improve input filtering for certain Microsoft wireless mouse devices. The update enhances security by filtering out QWERTY key packets in keystroke communications issued from receiving USB wireless dongles to wireless mouse devices.

Non-security related updates

• Update for Windows 10 Version 1511 (KB3147458) - This update includes quality improvements and security fixes. No new operating system features are being introduced in this update.
• Update for Windows 10 (KB3125217) - Disk cleanup for Windows 10 cumulative updates
• Update for Windows 8.1, Windows Server 2012 R2, Windows Embedded 8 Standard, Windows Server 2012, Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista (KB3147071) - Connection to Oracle database fails when you use Microsoft ODBC or OLE DB Driver for Oracle or Microsoft DTC in Windows
• Dynamic Update for Windows 10 (KB3147460) - Compatibility update for upgrading to Windows 10 Version 1511: April 12, 2016
• Update for Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows Embedded 8 Standard, Windows Server 2012, Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista, and Windows XP Embedded (KB3148851) - Time zone changes for Russia in Windows
• Windows Malicious Software Removal Tool - April 2016 (KB890830)/Windows Malicious Software Removal Tool - April 2016 (KB890830) - Internet Explorer Version -
• Update for Windows 7 (KB2952664) - Compatibility update for upgrading Windows 7
• Update for Windows 8.1 and Windows 8 (KB2976978) - Compatibility update for Windows 8.1 and Windows 8
• Update for Windows 7 (KB2977759) - Compatibility update for Windows 7 RTM
• Update for Windows 8.1 and Windows 7 (KB3035583) - Update installs Get Windows 10 app in Windows 8.1 and Windows 7 SP1
• Update for Windows 10 (KB3140741) - Servicing stack update for Windows 10 Version 1511: March 22, 2016

How to download and install the April 2016 security updates

Updates are as usually delivered via Windows Update, the primary updating service built into all versions of the Windows operating system.

We suggest you research updates before installation, but if you are in a hurry, suggest to backup the system before you update your PC.

To check for updates manually. tap on the Windows-key on your keyboard, type Windows Update and hit enter. On the page that opens, click on "check for updates" to run a manual check for new updates.

Depending on your settings, updates that are found during the scan are either shown to you, downloaded only, or downloaded and installed right away.

You may download updates individually from Microsoft's Download Center instead, or download one of the security ISO images that Microsoft releases each month.

Additional resources

• Microsoft Security Bulletin Summary for April 2016
• List of software updates for Microsoft products
• List of security advisories of 2016
• Our in-depth update guide for Windows
• Windows 10 Update History