MS16-107: Description of the security update for Outlook 2016: September 13, 2016

Applies to: Outlook 2016


This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see Microsoft Security Bulletin MS16-107.

Note To apply this security update, you must have the release version of Outlook 2016 installed on the computer.

For a complete list of affected versions of Microsoft Office software, see Microsoft Knowledge Base article KB3185852.

Improvements and fixes

This security update contains improvements and fixes for the following nonsecurity issues:
  • Add OST corruption events.
  • Translate some terms in multiple languages to make sure that the meaning is accurate.
  • When you use an intended form to open an item in Outlook 2016, forms cache is corrupted and you receive the following error message:
    The custom form cannot be opened. Outlook will use an Outlook form instead. The form required to view this message cannot be displayed. Contact your administrator.
  • Assume that an email message is sent programmatically in Outlook 2016. When you try to send another email message manually to the same recipients who are used in your automation, you don't get any suggestion for the those recipients names. This is because users who sent email programmatically are not added to your nickname cache by default. This change allows administrators to override that default behavior if they choose. See KB3115483 for more information.
  • Unexpected and unnecessary authentication prompts are displayed when you start in Outlook 2016.
  • After a search result is moved, the item persists in the results list.
  • You can't open public folders in Outlook 2016. This issue commonly affects Office 365 subscribers.
  • When you search items in the current folder in Outlook 2016, no preview is displayed if the Exchange Server version is earlier than 2016 and the Message Preview is set to 3 Lines.
  • When you move a junk email message from the Junk E-Mail folder, and try to download message again in Outlook 2016, the email message is moved to the Junk E-Mail folder again.
  • When you use a meeting request in Outlook 2016, Outlook 2016 crashes randomly.
  • When you try to edit an appointment or meeting in Outlook 2016, the Browse Web Locations option is unavailable and you can't attach some files.
  • Consider the following scenario:
    • You enable cached mode in Outlook 2016.
    • You add two or more Exchange accounts to the same profile.
    • You disable cached mode for those accounts, either manually or by Group Policy.
    • You delete .ost files.
    In this scenario, Outlook 2016 can't send email messages, and the email messages are stuck in the Outbox folder. 
  • Non-default Retention policy applied to Shared mailboxes in Outlook does not apply to subfolders that are created in those mailboxes by any user who has permissions to that mailbox in Cached Exchange mode. This causes messages that are moved to those subfolders to inherit the parent folder's retention policy and not honor the policy that is set by the user. Therefore, the message is deleted during the wrong period.
  • When you select the Preview file button for a PDF file of an email message in Outlook 2016, the PDF file can't be previewed.
  • Assume that you disable read receipt functionality in Outlook 2016. When you receive email messages that have a requested SMIME receipt, local copies of email messages bloat the Versions folder on the server that is running Exchange Server.
  • Attachments are rearranged, deleted, duplicated, or corrupted.
  • You can now specify the default editor format for calendar items. For more information, see KB3118318. Note This only sets the initial default format to be used when a calendar item is created. You can still select another format. 

How to get and install the update

Method 1: Microsoft Update

This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see the "Turn on automatic updating in Control Panel" section of this Safety & Security Center article.

Method 2: Microsoft Update Catalog

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

Method 3: Microsoft Download Center

You can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.

More Information

Security update deployment information

For deployment information about this update, see Microsoft Knowledge Base article KB3185852.

Security update replacement information

This security update doesn't replace any previously released update.

File hash information

Package namePackage hash SHA 1Package hash SHA 2