Microsoft Security Bulletins June 2016

This summary provides you with detailed information about the security bulletins that Microsoft released for its Windows operating system and other company products on June 14, 2016.

The guide lists all security and non-security patches, as well as security advisories that Microsoft released since the last patch day on May 10, 2016.

Each update is linked to Microsoft's Knowledge Base so that you can look it up in detail.

Apart from the list of patches, our overview provides you with information about the operating system and other Microsoft products distribution, an executive summary, and information on how to download the updates to Windows machines.

Microsoft Security Bulletins June 2016

Executive Summary

• Microsoft released a total of 16 security bulletins on the June 2016 Patch Day.
• 5 of the bulletins received the highest severity rating of critical, the remaining 11 bulletins a rating of important.
• Affected products include all client and server versions of Microsoft Windows, Microsoft Office, and Microsoft Exchange.

Operating System Distribution

All client versions of Windows are affected critically by vulnerabilities described in MS16-063. Windows Vista on top of that is affected critically by MS16-069, and Windows 10 by MS16-068.

MS16-069 is a cumulative security update for JScript and VBScript, and MS16-068 an update for Microsoft Edge which is exclusively available for Windows 10.

The critical server vulnerability affects only Windows Server 2012 and 2012 R2. It is described as an update for Microsoft Windows DNS Server in the bulletin MS16-071.

• Windows Vista: 2 critical, 2 important
• Windows 7: 1 critical, 2 important
• Windows 8.1: 1 critical, 3 important
• Windows RT 8.1: 1 critical, 2 important
• Windows 10: 2 critical, 4 important
• Windows Server 2008: 3 important, 2 moderate
• Windows Server 2008 R2: 4 important, 1 moderate
• Windows Server 2012 and 2012 R2: 1 critical, 5 important, 1 moderate
• Server core: 1 critical, 3 important, 1 moderate

Other Microsoft Products

All Office products are affected by vulnerabilities described in the bulletin MS16-070. Microsoft Exchange Server is affected by vulnerabilities described in MS16-079.

• Microsoft Office 2007, 2010, 2013, 2013 RT, 2016: 1 critical
• Microsoft Office for Mac 2011, 2016: 1 critical
• Microsoft Office Compatibility Pack SP3: 1 important
• Microsoft Visio Viewer 2007 SP3, 2010: 1 important
• Microsoft Word Viewer: 1 important
• Microsoft SharePoint Server 2010, 2013: 1 important
• Microsoft Office Web Apps 2010, 2013: 1 important
• Office Online Server: 1 important
• Microsoft Exchange Server 2007, 2010, 2013, 2016: 1 important

Security Bulletins

MS16-063 - Cumulative Security Update for Internet Explorer (3163649) - Critical - Remote Code Execution

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

MS16-068 - Cumulative Security Update for Microsoft Edge (3163656) - Critical - Remote Code Execution

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge.

MS16-069 - Cumulative Security Update for JScript and VBScript (3163640) - Critical - Remote Code Execution

This security update resolves vulnerabilities in the JScript and VBScript scripting engines in Microsoft Windows. The vulnerabilities could allow remote code execution if a user visits a specially crafted website.

MS16-070 - Security Update for Microsoft Office (3163610) - Critical - Remote Code Execution

The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file.

MS16-071 - Security Update for Microsoft Windows DNS Server (3164065) - Critical - Remote Code Execution

The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server.

MS16-072 - Security Update for Group Policy (3163622) - Important - Elevation of Privilege

The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine.

MS16-073 - Security Update for Windows Kernel-Mode Drivers (3164028) - Important - Elevation of Privilege

The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

MS16-074 - Security Update for Microsoft Graphics Component (3164036) - Important - Elevation of Privilege

The most severe of the vulnerabilities could allow elevation of privilege if a user opens a specially crafted document or visits a specially crafted website.

MS16-075 - Security Update for Windows SMB Server (3164038) - Important - Elevation of Privilege

The vulnerability could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application.

MS16-076 - Security Update for Netlogon (3167691) - Important - Remote Code Execution

The vulnerability could allow remote code execution if an attacker with access to a domain controller (DC) on a target network runs a specially crafted application to establish a secure channel to the DC as a replica domain controller.

MS16-077 - Security Update for WPAD (3165191) - Important - Elevation of Privilege

The vulnerabilities could allow elevation of privilege if the Web Proxy Auto Discovery (WPAD) protocol falls back to a vulnerable proxy discovery process on a target system.

MS16-078 - Security Update for Windows Diagnostic Hub (3165479) - Important
Elevation of Privilege

The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

MS16-079 - Security Update for Microsoft Exchange Server (3160339) -  Important - Information Disclosure

This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow information disclosure if an attacker sends a specially crafted image URL in an Outlook Web Access (OWA) message that is loaded, without warning or filtering, from the attacker-controlled URL.

MS16-080 - Security Update for Microsoft Windows PDF (3164302) - Important - Remote Code Execution

The more severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted .pdf file. An attacker who successfully exploited the vulnerabilities could cause arbitrary code to execute in the context of the current user.

MS16-081 - Security Update for Active Directory (3160352) - Important - Denial of Service

This security update resolves a vulnerability in Active Directory. The vulnerability could allow denial of service if an authenticated attacker creates multiple machine accounts. To exploit the vulnerability an attacker must have an account that has privileges to join machines to the domain.

MS16-082 - Security Update for Microsoft Windows Search Component (3165270) - Important - Denial of Service

The vulnerability could allow denial of service if an attacker logs on to a target system and runs a specially crafted application.

Security advisories and updates

MS16-033: Security Update for Windows Embedded Standard 7 (KB3139398)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker with physical access inserts a specially crafted USB device into the system.

MS16-064: Security Update for Adobe Flash Player for Windows 10, Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows Embedded 8 Standard, and Windows Server 2012 (KB3163207)

MS16-064: Security update for Adobe Flash Player: May 13, 2016

MS16-065: Security Update for Microsoft .NET Framework 4.6 on Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista (KB3142037)

MS16-065: Description of the security update for the .NET Framework 4.6.1 in Windows 7 SP1 and Windows Server 2008 R2 SP1 and the .NET Framework 4.6 in Windows Vista SP2 and Windows Server 2008 SP2: May 10, 2016

Microsoft Security Advisory 2880823

Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program

Microsoft Security Advisory 3155527

Update to Cipher Suites for FalseStart

Non-security related updates

Update for Windows 7 (KB2952664)

Update for Windows 7 (KB2977759)

Update for Windows 8.1 and Windows 8 (KB2976978)

Compatibility update for upgrading Windows 7, 7 RTM, 8, 8.1. This update performs diagnostics on the Windows systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.

Update for Windows Embedded 8 Standard (KB3156416)

May 2016 update rollup for Windows Server 2012

Update for Windows 8.1 and Windows 7 (KB3035583)

This update installs the Get Windows 10 app that helps users understand their Windows 10 upgrade options and device readiness.

Update for Windows 8.1 and Windows 7 (KB3123862)

Updated capabilities to upgrade Windows 8.1 and Windows 7

Update for Windows 7 and Windows Server 2008 R2 (KB3125574)

Convenience rollup update for Windows 7 SP1 and Windows Server 2008 R2 SP1.

Update for Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows 7, and Windows Server 2008 R2 (KB3139923)

MSI repair doesn't work when MSI source is installed on an HTTP share in Windows

Update for Windows Server 2012 R2 (KB3155444)

PXE client computers freeze during multithread network transfers in Windows Server 2012 R2.

Update for Windows Server 2012 (KB3156416)

May 2016 update rollup for Windows Server 2012

Update for Windows 7 and Windows Server 2008 R2 (KB3156417)

May 2016 update rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1

Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB3156418)

May 2016 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

Update for Windows 10 (KB3159635)

Windows 10 Update Assistant: To help keep all Windows 10 systems secure and provide the latest features and improvements, the Windows 10 Update Assistant downloads and starts the setup for Windows 10 version 1511.

Update for Windows 10 (KB3147062)

Signing verification failure breaks audio functionality in Windows 10 Version 1511

Update for Windows 8.1, Windows 8, and Windows 7 (KB3150513)

May 2016 Compatibility Update for Windows

Update for Windows 10 (KB3152599)

Preinstalled system applications and Start menu may not work when you upgrade to Windows 10 Version 1511

How to download and install the June 2016 security updates

The security updates that Microsoft published on the June 2016 Patch Day are already available via Windows Update.

While the updates will get picked up eventually, it is possible to run a manual check for updates to speed up the process.

1. Tap on the Windows-key, type Windows Update, and hit the Enter-key afterwards.
2. Click on the check for updates button to run a manual check for new updates for the operating system.

Windows will check for updates and either download and install them automatically, only download them, or prompt you for actions.

Please note that it is recommended to research Windows updates before you install them to avoid issues after installing them.

Some updates are made available via Microsoft's Download Center, while all security updates via Microsoft's Update Catalog.

All security updates are also made available via security ISO images that Microsoft releases on a monthly basis.

Additional resources

• Microsoft Security Bulletin Summary for June 2016
• List of software updates for Microsoft products
• List of security advisories of 2016
• Windows 10 Update History