This month's monster security patch for Office breaks Excel when it tries to open HTML files, and it seems unlikely Microsoft will fix the problem Excel users are reporting an odd bug in the way Excel 2010 and 2013 behave. In the past, XLS files produced by various packages (including Salesforce) could be opened by double-clicking on them. After the MS16-088 patch is applied, though, Excel refuses to open XLS files, showing a blank screen instead of a workbook. Poster conker123 on the TechNet Office forum described the problem precisely: We dynamically generate various reports in HTML format and serve them up on a website. We give users the option to download these reports as Excel (XLS) files. Normally, when users open these files Excel properly handles the data – they’re simply HTML tables. Excel displays a warning message that the file format and extension don’t match (HTML table and XLS), but allows the user to open the file anyway. Today, users reported that these reports no longer work. The issue appears to be caused by yesterday’s patch – KB3170008… When opening one of these files, Excel will act as if no file is open. Users can save the file, then right click it, click Properties, and then click Unblock next to the “This file came from another computer and might be blocked to help protect this computer.” warning. After doing this, the file can be opened as before (with the warning about the file extension and formatting not matching). Microsoft employee Freya gave a full explanation last Thursday: The Excel team has made a change in the behavior of certain file types to increase security. This change came in the security updates KB3115262, KB3170008, and KB3115322. Previously, when you tried to open an HTML or XLA file with an .XLS file extension from an untrusted location, Excel would warn about the mismatch between the file extension and content, but would still open the workbook without Protected View security. After the security updates Excel no longer will open the workbook because these files are not compatible with Protected View and there is no warning or other indication it was not opened. We apologize that Excel is showing a blank screen instead of a more helpful error message with information about what to do next. This gets unwieldy very quickly because the MS16-088 patch is, in fact, a huge collection of separately numbered patches. The official list in KB 317008 carries 29 separately identified minipatches. As Freya notes, this problem has so far been identified with KB 3115322 (Security update for Excel 2010) and KB 3115262 (Security update for Excel 2013). Those are two of the 29 updates listed as part of MS16-088/KB 317008. It isn’t clear to me if the same problem occurs with Excel 2016 (KB 3115272) or with various Office 365 Click-to-Run versions (version 1605 build 6965.2066 seems a likely candidate). Please let me know in the comments below or on AskWoody.com, if you’ve been able to replicate this problem with other versions of Office patches. Based on Freya’s comment, it seems unlikely Microsoft will fix the problem — it’s a feature, not a bug, dontcha know. However, there’s a bit of hedging at the end: We are also investigating a more permanent solution that allows our users to remain secure as well as minimize disruption to existing user experience. We’ll provide updates on this in the coming days. Thank you for your patience. There are three workarounds listed in Freya’s post: Stop using HTML to wrap XLS files, unblock access to individual files, or add the source of the files to the Trusted Locations list in Excel. Predictably, developers are not happy about these options. Nor are they happy about getting blindsided with an unannounced feature change that went unexplained for more than a week. From a developer’s point of view, they are being blamed by customers for a bug that’s beyond their control. A technique that worked for many years suddenly stopped working, with no warning and a week-late explanation. Having your customers open up a blank workbook does not exactly inspire confidence. Related content opinion On a personal note... Woody Leonhard looks back a bit, looks ahead to retirement — and shares good news about who's picking up the Windows patching torch. By Woody Leonhard Nov 09, 2020 3 mins Small and Medium Business Computers Windows news analysis Get Microsoft's October patches installed — and seriously consider Win10 2004 Odd ancillary patches have their problems, but the mainstream October patches look pretty reliable. The big question: Is Win10 version 2004 up to your stability standards. I’m skeptical -- especially because it has few worthwhile improvements. By Woody Leonhard Oct 30, 2020 6 mins Small and Medium Business Microsoft Computers news analysis Microsoft Patch Alert: October 2020 The big news with this month’s patches – aside from the usual smorgasbord of strange errors – has more to do with the patches that are outside the regular cumulative update stream. Remarkably, we didn’t get any security fixes By Woody Leonhard Oct 22, 2020 189 mins Small and Medium Business Microsoft Office Microsoft news analysis With Patch Tuesday here, be sure Windows Update is paused With all the flotsam floating around, it’s easy to lose sight of Second Tuesdays. October’s arrives tomorrow and, with it, another round of Windows and Office patches. Take a minute to make sure you aren’t in the front lines, as eve By Woody Leonhard Oct 12, 2020 5 mins Small and Medium Business Microsoft Windows Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe