MS16-099: Description of the security update for Outlook 2010: August 9, 2016

Applies to: Microsoft Office 2010 Service Pack 2


This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see Microsoft Security Bulletin MS16-099.

Note To apply this security update, you must have the release version of Service Pack 2 for Office 2010 installed on the computer.

For a complete list of affected versions of Microsoft Office software, see Microsoft Knowledge Base article KB3177451.

Improvements and fixes

This security update contains improvements and fixes for the following nonsecurity issues:
  • Attachments are rearranged, deleted, duplicated, or corrupted.

How to get and install the update

Method 1: Microsoft Update

This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see the "Turn on automatic updating in Control Panel" section of this Safety & Security Center article.

Method 2: Microsoft Update Catalog

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

Method 3: Microsoft Download Center

You can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.

More Information


Q: Does this release contain any additional security-related changes to functionality?

A: Yes. In addition to the security updates that address the vulnerabilities that are described in this bulletin, Microsoft is releasing updates to add a security feature improvement. These updates provides additional information to users when Outlook makes a network connection through a proxy server that requires authentication.

Sometimes, the additional information is not available. In this situation, Outlook silently prevents the connection. This is true in the following configurations:
  • From Outlook 2007 or Outlook 2010, any connection to AutoDiscover or Exchange Web Services
  • From Outlook 2010, any connections that uses MAPI over HTTP
  • From Outlook 2013 or Outlook 2016, any connection to AutoDiscover or Exchange Web Services if the primary mailbox uses a remote procedure call (RPC) or RPC over HTTP connection.
You can use the AllowOutlookHttpProxyAuthentication registry entry to allow Outlook to connect in these configurations after it prompts the user for credentials.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

To allow Outlook to make a connection through an authenticating proxy without using the security feature enhancement, add a DWORD value that's named AllowOutlookHttpProxyAuthentication and that has a value of 1 to the following registry subkey, as appropriate for your version:
Outlook 2016: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\HTTP
Outlook 2013: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\HTTP
Outlook 2010: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\ HTTP
Outlook 2007: HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\HTTP

To add this registry entry, follow these steps:
  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then click the appropriate subkey in the registry.
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type AllowOutlookHttpProxyAuthentication for the name of the DWORD, and then press Enter.
  5. Right-click AllowOutlookHttpProxyAuthentication, and then click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. Exit Registry Editor, and then restart Outlook.

Security update deployment information

For deployment information about this update, see Microsoft Knowledge Base article KB3177451.

Security update replacement information

This security update doesn't replace any previously released update.

File hash information

Package NamePackage Hash SHA 1Package Hash SHA 2