MS16-099: Description of the security update for Outlook 2013: August 9, 2016


This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see Microsoft Security Bulletin MS16-099.

Note To apply this security update, you must have the release version of Service Pack 1 for Microsoft Office 2013 installed on the computer.

For a complete list of affected versions of Microsoft Office software, see Microsoft Knowledge Base article KB3177451.

Improvements and fixes

This security update contains improvements and fixes for the following nonsecurity issues:
  • Translates some terms in multiple languages to make sure that the meaning is accurate.
  • Add OST corruption events.
  • Recipients on email sent programmatically in Outlook 2013 aren't added to the users nickname cache. Therefore, when you manually try to send another email message to the same recipients, you won't get any suggestion for those recipients' names. This update enables users to turn on the ability for recipients to be added to the nickname cache when email message is sent programmatically. See KB3115397 for more information.
  • When you create an email message by using an Outlook template (.oft) in online mode in Outlook 2013, German of French extended characters aren't displayed correctly and garbled characters are displayed.
  • When you paste a mailto link that has an embedded hyperlink in an email message in Outlook 2013, the hyperlink isn't clickable.
  • When you drag-and-drop a folder (C) between two other folders  (A, B) which have sub-folders, folder C will be nested into folder A as a subfolder instead of being inserted between A and B at their same level.
  • When you mark a task as completed in Outlook 2013, you receive the following error message:
    We need to know who to send this to. Make sure you enter at least one name.
    This issue occurs after you install December 8, 2015, update for Outlook 2013 (KB3114349).
  • If Outlook 2013 crashes after you send an email message while the email message is still in the Outbox folder, the email message is lost and can't be found.
  • After failing an initial logon, a subsequent retry may cause the following message to be incorrectly displayed:
    The Microsoft Exchange administrator has made a change that requires you quit and restart Outlook.
  • Assume that you add a second Exchange account to an existing profile in Outlook 2013 while it's running, and select a different sync slider setting. After you restart Outlook 2013, the sync slider setting of the new account is reset to the default.
  • Folders may disappear from the favorites list in Outlook 2013. This issue occurs if you implement the DisableCrossAccountCopy policy.
  • After the MAPI over HTTP transport protocol is disabled for some Exchange topologies, some online archive mailbox can't be opened any longer in Outlook 2013.
  • In an ADAL authentication enabled environment, you can't create a profile for Outlook 2013 through Control Panel.
  • After you enable the I am currently giving a presentation option in the Presentation Settings dialog box, Outlook 2013 will not be able to authenticate and will enter a Need Password state.
  • You can't open Mail in Control Panel if you have Outlook 2013 Click-to-Run installed.

How to get and install the update

Method 1: Microsoft Update

This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see the "Turn on automatic updating in Control Panel" section of this Safety & Security Center article.

Method 2: Microsoft Update Catalog

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

Method 3: Microsoft Download Center

You can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.

More Information


Q: Does this release contain any additional security-related changes to functionality?

A: Yes. In addition to the security updates that address the vulnerabilities that are described in this bulletin, Microsoft is releasing updates to add a security feature improvement. These updates provides additional information to users when Outlook makes a network connection through a proxy server that requires authentication.

Sometimes, the additional information is not available. In this situation, Outlook silently prevents the connection. This is true in the following configurations:
  • From Outlook 2007 or Outlook 2010, any connection to AutoDiscover or Exchange Web Services
  • From Outlook 2010, any connections that uses MAPI over HTTP
  • From Outlook 2013 or Outlook 2016, any connection to AutoDiscover or Exchange Web Services if the primary mailbox uses a remote procedure call (RPC) or RPC over HTTP connection.
You can use the AllowOutlookHttpProxyAuthentication registry entry to allow Outlook to connect in these configurations after it prompts the user for credentials.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

To allow Outlook to make a connection through an authenticating proxy without using the security feature enhancement, add a DWORD value that's named AllowOutlookHttpProxyAuthentication and that has a value of 1 to the following registry subkey, as appropriate for your version:
Outlook 2016: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\HTTP
Outlook 2013: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\HTTP
Outlook 2010: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\ HTTP
Outlook 2007: HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\HTTP

To add this registry entry, follow these steps:
  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then click the appropriate subkey in the registry.
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type AllowOutlookHttpProxyAuthentication for the name of the DWORD, and then press Enter.
  5. Right-click AllowOutlookHttpProxyAuthentication, and then click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. Exit Registry Editor, and then restart Outlook.

Security update deployment information

For deployment information about this update, see Microsoft Knowledge Base article KB3177451.

Security update replacement information

This security update doesn't replace any previously released update.

File hash information

Package NamePackage Hash SHA 1Package Hash SHA 2
File information ERROR: PhantomJS timeout occurred