Update 8/9/2016: Excel Workbooks may not open after installing MS16-088


UPDATE: This issue is resolved, scroll to the bottom to see the Resolution Section in todays update.

 

The Excel team has made a change in the behavior of certain file types to increase security. This change came in the security updates KB3115262, KB3170008, and KB3115322. Previously, when you tried to open an HTML or XLA file with an .XLS file extension from an untrusted location, Excel would warn about the mismatch between the file extension and content, but would still open the workbook without Protected View security. After the security updates Excel no longer will open the workbook because these files are not compatible with Protected View and there is no warning or other indication it was not opened. We apologize that Excel is showing a blank screen instead of a more helpful error message with information about what to do next.

 

We have a few options for workarounds. These are in order from safest to riskiest. While some people in the forums have suggested rolling back the security patch, we do not recommend that option as it can leave you open to other current and future threats.

  1. The best option is to move away from using HTML wrapped as .xls. If you use native formats (e.g. xls, xlsx, xlsb) which will open in protected view when untrusted, this will provide some level of protection from the documents being opened.
  2. You can unblock access for individual files you know are safe. To do this:
    1. Right click on the file and choose Properties
    2. On the General tab, click Unblock
    3. Click OK
  3. You can make use of existing Trusted Locations capabilities in Excel 2010, 2013, and 2016 via File -> options -> Trust Center -> Trust Center Settings -> Trusted Locations.
    1. You can save the web html file to a trusted location on the local machine (Excel comes with a set of default trust locations). If you do not see the local folder location you trust for these files, then press “Add new location…” button and add it in the Trusted Location dialog. If the HTML document is in a trusted location the KB fix is not applied (e.g. the unsafe HTML file is not blocked).
    2. This approach may unblock you, but it carries some risk as files of any file type in Trusted Locations are fully trusted. If an attacker can drop files into the trusted location they can easily exploit users who open such documents. Be especially cautious when specifying a custom folder as a trusted location.

 


Update 7/28/2016

Update: Our dev team is working on options to preserve security and assist customers with their workflow. Currently we do not have any further workarounds.

Additional background: The security update changed how Excel handles documents that are opened from untrusted locations (such the Internet zone) which are not supported in Protected View, such as HTML/XML/XLA files. Opening them without Protected View has led to a security vulnerability, and therefore files open from such locations are now blocked.  We realize this breaks compatibility with some existing solutions, and are working on getting these file types supported with Protected View.  Until that happens, users will need to manually trust the file before they open them in Excel, as demonstrated in one of the workaround suggestions.  Excel can still open these files without an issue if they are trusted. 

We strongly recommend against removing the security update. It will leave your systems vulnerable. More information is located here: https://technet.microsoft.com/library/security/MS16-088?f=255&MSPPError=-2147217396. Specifically, the section regarding "Microsoft Office Security Feature Bypass Vulnerability – CVE-2016-3279".

Additional information on implementing workaround options, by product version:

Office 2016

Here is information on Office Trusted Locations
https://technet.microsoft.com/en-us/library/cc179039(v=office.16).aspx
and information on Protected View settings
https://technet.microsoft.com/en-us/library/ee857087(v=office.16).aspx

Office 2013

Here is information on Office Trusted Locations
https://technet.microsoft.com/en-us/library/cc179039(v=office.15).aspx
and information on Protected View settings
https://technet.microsoft.com/en-us/library/ee857087(v=office.15).aspx

 Office 2010

Here is information on Office Trusted Locations
https://technet.microsoft.com/en-us/library/cc179039(v=office.14).aspx
and information on Protected View settings
https://technet.microsoft.com/en-us/library/ee857087(v=office.14).aspx


Update 8/9/2016

Resolution

Install the update for your version of Office.

  • Office 365 subscription (Click-to-Run)—install the latest updates (this includes, Current Channel, First Release Deferred Channel and Deferred Channel)
  • Installer version (MSI)—To get the fix today, use the links in the KB for your version of Office to download the update from the Download Center. The updates will also publish to Windows Update/WSUS service next week where they will be updated automatically based on the Windows Update settings.

     

    Comments (0)

    Skip to main content