Large Microsoft Patch Tuesday Update for September 2016

Amol Sarwate

Last updated on: October 27, 2022

It’s September 2016 Patch Tuesday, and Microsoft has released 14 security bulletins that affect a host of components including desktop operating systems, servers, browsers , Exchange server, Silverlight, SMBv1 and several others. It’s a large update that will keep desktop as well as server administrators busy.  Seven updates are rated as critical, while the other seven are rated as important. One 0-day vulnerability CVE-2016-3352 which was publicly disclosed earlier is also patched in the MS16-110 bulletin.


On the desktop side top priority goes to Browsers and Microsoft Office. This includes Cumulative Security Update for Internet Explorer (MS16-104) which affects IE 9 to 11 and Cumulative Security Update for Microsoft Edge (MS16-105) which only affects Windows 10 platforms.  An attacker can entice users to click malicious links using affected browsers and if left unpatched can allow attackers to take complete control of the victim machine. The security update for Microsoft Office (MS16-107) also falls in this category and will allow attackers complete control of victim machine using the click-to-run component and due to the way Office objects are handled in memory.  MS16-106 affects Windows vista, Windows 7, 8.1 and 10 and could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document.

Next priority goes to Silverlight bulletin (MS16-109). The vulnerability could allow remote code execution if a user visits a compromised website that contains a specially crafted Silverlight application. MS16-116 affects the VBScript Scripting Engine and allows remote code execution if an attacker successfully convinces a user of an affected system to visit a malicious or compromised website.


Exchange Server administrators should focus on MS16-108 which could allow remote code execution in some Oracle Outside In libraries that are built into Exchange Server if an attacker sends an email with a specially crafted attachment to a vulnerable Exchange server. If left unpatched attackers can take complete control of the server.

Microsoft Office (MS16-107) affects the Microsoft SharePoint Server  2007, 2010 and 2013 and can allow attacks to take complete control of the server using the Word and Excel automation service on the SharePoint Server.

MS16-106 affects Windows server 2008 and 2012 along with their R2 counterparts and allows attackers to take complete control of the server system.  Server administrators should also look at MS16-110 which applies to Server 2008 and 2012 and allows attackers with domain user account to could create a specially crafted request, causing Windows to execute arbitrary code with elevated permissions.

Overall it’s a large update from Microsoft with fixes for both desktop and server components.

Show Comments (10)


Your email address will not be published. Required fields are marked *

  1. Thanks for your article about September Patch Tuesday 2016. All updates installed successfully for me using Win 10 1607, now build 14393.187. This update took 30 minutes to download and install …. seems longer than previous updates. All is stable though, with my reliability monitor at “10”. Loving Windows 10.

  2. There were multiple updates for today – now the WED after patch Tuesday – the one that didn’t complete coming down, or loading, was THE windows patch. Frustrating – any suggestions other than patience? Making my third attempt.

    1. Mine does too. Can’t do anything on my computer. It’s been hours. This is at the shut down and restart phase. Would be nice to use Excel again before Christmas!

  3. Windows did not do its normal middle of the night updating. This Update is been going for 2 hours & 20 min and counting. It only got as far as 71% then it attempted a reboot and is just spinning on a black screen. Need this up & running now. Help

  4. My desktop is also stuck on a black screen with rotating spots after this update. Left it running over 24 hours before giving up and rebooting. Anybody have a solution to this?