Description of the security update for Outlook 2016: June 13, 2017

Applies to: Outlook 2016


This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures CVE-2017-8506, Microsoft Common Vulnerabilities and Exposures CVE-2017-8507, and Microsoft Common Vulnerabilities and Exposures CVE-2017-8508.

Note To apply this security update, you must have the release version of Outlook 2016 installed on the computer.

Known issues in this security update

Issue 1

When you open an attachment that includes consecutive dots (...), or an exclamation point (!), the files are blocked and you receive a warning message. See You receive an error when opening attachments in Outlook for more information.

Issue 2

If an email message includes an attached email message, and the attached email message's subject line ends with an unsafe file name extension as listed in the Blocked attachments in Outlook page, the email attachment will be blocked for recipients. To fix this issue, save the email message to the computer and rename its subject line so that it does not end with an unsafe file name extension. Then, attach it to the email message to be sent.

Issue 3

When you open attachments that use ShowLevel1Attach, you receive this message:

"One or more objects in this file have been disabled due to your policy settings".

See You receive an error when opening attachments in Outlook for more information.

Issue 4

Improvements and fixes

This security update contains improvements and fixes for the following nonsecurity issues:
  • The IRibbonControl.Context property now returns an AttachmentSelection object when you extend the context menu for attachments.
  • Increases the number of retries when connecting to a host in Microsoft Outlook 2016. By default, WinHTTP will try six IP addresses (one initial attempt and five retries) when trying to establish a connection to a host. If Outlook 2016 tries to attempt more than six IP addresses, the connection will fail. This is particularly problematic on networks that have intermittent IPv6 connectivity problems. Increasing the number of retries may allow the connection to succeed with IPv4 addresses. To enable this feature, see KB3178716.
  • Adds the AutoDiscover URL for the Office 365 German Cloud ( to the list of trusted AutoDiscover URL to avoid a prompt when creating a mail profile with an Office 365 mailbox.
  • Make user profiles more robust when migrating to the cloud.
  • Outlook should not collect availability information from outside applications.
  • Fixes the following issues:
    • When you start Outlook 2016 in Office 365, Outlook 2016 displays the password dialog box that has the SMTP address as the user name. This issue occurs even if you have the Remember my credentials option selected and the UPN differs from the SMTP address.
    • With Add-ins, calling GetUserIdentityTokenAsync and MakeEwsRequestAsync at nearly the same time will result in one of them erroring out.
    • Implements SMIME certificate retrieval from Offline Address Book (OAB) when the UserCertificateUserSmimeCertificate, and Certificate fields in the OAB are created as Indicator instead of Value, which is the default setting.
    • If you have a profile that has a Microsoft SharePoint calendar in Outlook 2016 and the calendar is synchronizing in the background, Outlook 2016 may crash.
    • Some English words in the subject of an item are marked as incorrect by spell checker in a multilanguage Windows configuration. This is because an incorrect language is used for spelling check. To fix this issue, install the update and then follow the steps in KB3203435.
    • Resolves an issue for some Japanese IMAP accounts where after upgrading from Japanese Outlook 2010 to Japanese Outlook 2016, there are two Sent Items (送信済みアイテム) folders.
    • The proxy authentication doesn't work for the HTTP Redirect method in Outlook 2016. However, the proxy authentication still applies to other auto discover steps. Therefore, you may not able to create profiles for cloud mailboxes.
    • Outlook 2016 displays exceptions of recurring meetings in SharePoint.
    • After a delegate views a rejected meeting, the declined meeting appears in the calendar again if the delegate has not rejected the meeting.
    • When the binary data that is defined by a policy nudge is an exact multiple of 4k for Outlook 2016, Outlook 2016 may crash.

How to get and install the update

Method 1: Microsoft Update

Method 2: Microsoft Update Catalog

Method 3: Microsoft Download Center

More Information

Security update deployment information

For deployment information about this update, see security update deployment information: June 13, 2017.

Security update replacement information

This security update replaces the previously released update KB3178664.

File hash information

Package Name Package Hash SHA 1 Package Hash SHA 2
outlook2016-kb3191932-fullfile-x86-glb.exe 0CA8B6D4E6A0D854EBBC0E032B16F9BC76FE2FBB 1F11F15F3D4AD11A6178985D94CE655614B0A7B5A1386F8197235AD5A5B0040A
outlook2016-kb3191932-fullfile-x64-glb.exe 55413FA64A489CC6661B38D317462585A15CC34D 7A4C5CD18665AB7DCF053325D86763253B71A8AA9B21ECE07F4C5E5EEADC13CD

File information

How to get help and support for this security update

Help for installing updates: Windows Update FAQ

Security solutions for IT professionals:
TechNet Security Support and Troubleshooting

Help for protecting your Windows-based computer from viruses and malware:
Microsoft Secure

Local support according to your country:
International Support

Propose a feature or provide feedback on Office Core: Office User Voice portal