MS16-099: Description of the security update for Outlook 2016: August 9, 2016


This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see Microsoft Security Bulletin MS16-099.

Note To apply this security update, you must have the release version of Outlook 2016 installed on the computer.

For a complete list of affected versions of Microsoft Office software, see Microsoft Knowledge Base article KB3177451.

Improvements and fixes

This security update contains improvements and fixes for the following nonsecurity issues:
  • Update the requirement set to the current version for Web Add-ins in Outlook 2016.
  • Some unnecessary network traffic occurs during AutoDiscover in Outlook 2016.
  • When you mark a task as completed in Outlook 2016, you receive the following error message:
    We need to know who to send this to. Make sure you enter at least one name.

  • When you use a .prf file to set an IMAP profile in Outlook 2016, authentication dialog box isn't displayed. Therefore, emails can't be synchronized and you can't send email messages.
  • When you paste a mailto link that has an embedded hyperlink in an email message in Outlook 2016, the hyperlink isn't clickable.
  • When you create an email message by using an Outlook template (.oft) in online mode in Outlook 2016, German of French extended characters aren't displayed correctly and garbled characters are displayed.
  • When you send digitally signed email messages in a 64-bit version of Outlook 2016, you receive the following error message:
    A required action was not successful because of an unspecified error.

  • You can't use Outlook 2016 to connect online archive and shared mailbox in different sites in Exchange Server 2010.
  • Even though the Cached Mode Group Policy Object (GPO) forces cache mode for an account, the cached account still displays an online data file location.
  • Assume that you add a second Exchange account to an existing profile in Outlook 2016 while it's running, and select a different sync slider setting. After you restart Outlook 2016, the sync slider setting of the new account is reset to the default.
  • If Outlook 2016 crashes after you send an email message while the email message is still in the Outbox folder, the email message is lost and can't be found.
  • After you enable the I am currently giving a presentation option in the Presentation Settings dialog box, Outlook 2016 will not be able to authenticate and will enter a Need Password state.

How to get and install the update

Method 1: Microsoft Update

This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see the "Turn on automatic updating in Control Panel" section of this Safety & Security Center article.

Method 2: Microsoft Update Catalog

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

Method 3: Microsoft Download Center

You can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.

More Information


Q: Does this release contain any additional security-related changes to functionality?

A: Yes. In addition to the security updates that address the vulnerabilities that are described in this bulletin, Microsoft is releasing updates to add a security feature improvement. These updates provides additional information to users when Outlook makes a network connection through a proxy server that requires authentication.

Sometimes, the additional information is not available. In this situation, Outlook silently prevents the connection. This is true in the following configurations:
  • From Outlook 2007 or Outlook 2010, any connection to AutoDiscover or Exchange Web Services
  • From Outlook 2010, any connections that uses MAPI over HTTP
  • From Outlook 2013 or Outlook 2016, any connection to AutoDiscover or Exchange Web Services if the primary mailbox uses a remote procedure call (RPC) or RPC over HTTP connection.
You can use the AllowOutlookHttpProxyAuthentication registry entry to allow Outlook to connect in these configurations after it prompts the user for credentials.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

To allow Outlook to make a connection through an authenticating proxy without using the security feature enhancement, add a DWORD value that's named AllowOutlookHttpProxyAuthentication and that has a value of 1 to the following registry subkey, as appropriate for your version:
Outlook 2016: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\HTTP
Outlook 2013: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\HTTP
Outlook 2010: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\ HTTP
Outlook 2007: HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\HTTP

To add this registry entry, follow these steps:
  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then click the appropriate subkey in the registry.
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type AllowOutlookHttpProxyAuthentication for the name of the DWORD, and then press Enter.
  5. Right-click AllowOutlookHttpProxyAuthentication, and then click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. Exit Registry Editor, and then restart Outlook.

Security update deployment information

For deployment information about this update, see Microsoft Knowledge Base article KB3177451.

Security update replacement information

This security update doesn't replace any previously released update.

File hash information

Package NamePackage Hash SHA 1Package Hash SHA 2
File information
How to get help and support for this security update

Article ID: 3115440 - Last Review: Jan 19, 2017 - Revision: 2

Outlook 2016