Description of the security update for SharePoint Enterprise Server 2016: March 13, 2018

Applies to: SharePoint Server 2016

Summary


This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, go to the Security Update Guide.

Note To apply this security update, you must have the release version of SharePoint Enterprise Server 2016 installed on the computer.

This public update delivers Feature Pack 2 for SharePoint Server 2016, which contains the following feature:

  • SharePoint Framework (SPFx)

This public update also delivers all the features previously included in Feature Pack 1 for SharePoint Server 2016, including:

  • Administrative Actions Logging
  • MinRole enhancements
  • SharePoint Custom Tiles
  • Hybrid Auditing (preview)
  • Hybrid Taxonomy
  • OneDrive API for SharePoint on-premises
  • OneDrive for Business modern experience (available to Software Assurance customers)

The OneDrive for Business modern user experience requires an active Software Assurance contract at the time that it is enabled, either by installation of the public update or by manual enablement. If you don't have an active Software Assurance contract at the time of enablement, you must turn off the OneDrive for Business modern user experience.

For more information, see New features included in the November 2016 Public Update for SharePoint Server 2016 (Feature Pack 1) and New features included in the September 2017 Public Update for SharePoint Server 2016 (Feature Pack 2).

Improvements and fixes


This security update contains improvements and fixes for the following nonsecurity issues in SharePoint Server 2016:

  • After updating and upgrading a SharePoint 2016 farm by using a Public Update, some servers may still report that they’re in the “Upgrade Required” state, even though upgrade had completed successfully. This issue is fixed in this update
  • When you use Norwegian (Bokmål) or any other locale that has the same separator for dates and times, you receive the following error message when you verify the date and time fields:

    index was outside the bounds of the array 

  • You cannot open a followed document online if its filename contains the ampersand character (&). Additionally, you receive the following error message:

    Error happened:
    Item does not exist. It may have been deleted by another user. 

  • The default PDF parser doesn't parse correctly some documents that are created by Arbortext PDF Creator.
  • When you add a user to a SharePoint group through the REST APIs, you receive an “UnauthorizedAccessException” error message even though the operation is completed.
  • After migration from SharePoint Server 2013 to SharePoint Server 2016, the InfoPath forms that use the User Profile Service web service (UserProfile.asmx) are not working as expected.
  • In lists that have a Multiple Lines of Text column, when the Enhanced rich text (Rich text with pictures, tables and hyperlinks) option is selected, data in tables cannot be used for searching.
  • When the Version column in a list is indexed, you cannot add or update an item or a document in the SharePoint document library list. Additionally, you receive an error message that resembles the following:

    The URL 'Shared Documents/filename.doc' is invalid. It may refer to a nonexistent file or folder, or refer to a valid file or folder that is not in the current Web.

  • This update improves the indexing compatibility for some malformed PDF files.
  • This update changes the hotfix files to make sure that all files that are required for SharePoint Framework (SPFx) are included.

This security update contains improvements and fixes for the following nonsecurity issues in Project Server 2016:

  • When the Project permission “View the Project Schedule Details in Project Web App” is enabled, you may see views and data that you don’t have permission to see.
  • Actual work that’s applied as a part of a status updates approval doesn't always appear in the given project.
  • When you open and edit a project, and then save back to Project Server 2016, you may see an error message in the Unified Logging System (ULS) logs that resembles the following:

    [PS_AC][Number] Invalid bool pid 188745088 (B400580) for container Task

    • When you open and edit a project, and then save it in Project Server 2016, you may receive an error message that has some of the following elements in it:

      ActiveCacheQueuedMessageExecutionError
      error="System.InvalidCastException: Specified cast is not valid”

    • Consider the following scenario:
       
      • You have a Project Web App (PWA) site and Project Server 2016 in your organization.
      • You log on to a PWA instance, and then create an enterprise custom field for the resource entity and another enterprise custom field for the project entity.
      • You start Project Professional 2016 and connect to Project Server 2016. Then, you add a resource and set a value for the custom field of the resource.
      • You save the project and check it in.
      • In PWA, you locate the Project Center, drill into the project, and then select a Project Details Page (PDP), if you have not already selected it.
      • You make a change to the project custom field, and then you save the project from the PDP.
      • In Project Professional 2016, you open the project and view the custom field value.

      In this situation, the value of the resource custom field is missing.

How to get and install the update


Method 1: Microsoft Update Catalog

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

Method 2: Microsoft Download Center

You can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.

More Information


Security update deployment information

For deployment information about this update, see security update deployment information: March 13, 2018.

Security update replacement information

This security update replaces previously released security update 4011680.

File hash information

Package name Package hash SHA 1 Package hash SHA 2
sts2016-kb4018293-fullfile-x64-glb.exe 7B8FE62023C1BA79244497DCCADE2AA7176951B2 DDC11EA34BC29DA0BB17157675C0899AC6724E1118F456EDD6C6689D1333FBE7

File information

For the list of files this update 4018293 contains, download the file information for update 4018293.

How to get help and support for this security update


Help for installing updates: Windows Update FAQ

Security solutions for IT professionals: Security Support and Troubleshooting

Help for protecting your Windows-based computer from viruses and malware: Microsoft Secure

Local support according to your country: International Support

Propose a feature or provide feedback on SharePoint: SharePoint User Voice portal