Excel refusing to open files? Blame the KB 3115322, 3115262 security updates

Excel users are reporting an odd bug in the way Excel 2010 and 2013 behave. In the past, XLS files produced by various packages (including Salesforce) could be opened by double-clicking on them. After the MS16-088 patch is applied, though, Excel refuses to open XLS files, showing a blank screen instead of a workbook.

Poster conker123 on the TechNet Office forum described the problem precisely:

We dynamically generate various reports in HTML format and serve them up on a website.  We give users the option to download these reports as Excel (XLS) files. Normally, when users open these files Excel properly handles the data – they’re simply HTML tables. Excel displays a warning message that the file format and extension don’t match (HTML table and XLS), but allows the user to open the file anyway.

Today, users reported that these reports no longer work.  The issue appears to be caused by yesterday’s patch – KB3170008… When opening one of these files, Excel will act as if no file is open.

Users can save the file, then right click it, click Properties, and then click Unblock next to the “This file came from another computer and might be blocked to help protect this computer.” warning.  After doing this, the file can be opened as before (with the warning about the file extension and formatting not matching).

Microsoft employee Freya gave a full explanation last Thursday:

The Excel team has made a change in the behavior of certain file types to increase security. This change came in the security updates KB3115262, KB3170008, and KB3115322. Previously, when you tried to open an HTML or XLA file with an .XLS file extension from an untrusted location, Excel would warn about the mismatch between the file extension and content, but would still open the workbook without Protected View security. After the security updates Excel no longer will open the workbook because these files are not compatible with Protected View and there is no warning or other indication it was not opened. We apologize that Excel is showing a blank screen instead of a more helpful error message with information about what to do next.

This gets unwieldy very quickly because the MS16-088 patch is, in fact, a huge collection of separately numbered patches. The official list in KB 317008 carries 29 separately identified minipatches.

As Freya notes, this problem has so far been identified with KB 3115322 (Security update for Excel 2010) and KB 3115262 (Security update for Excel 2013). Those are two of the 29 updates listed as part of MS16-088/KB 317008.

It isn’t clear to me if the same problem occurs with Excel 2016 (KB 3115272) or with various Office 365 Click-to-Run versions (version 1605 build 6965.2066 seems a likely candidate). Please let me know in the comments below or on AskWoody.com, if you’ve been able to replicate this problem with other versions of Office patches.

Based on Freya’s comment, it seems unlikely Microsoft will fix the problem — it’s a feature, not a bug, dontcha know. However, there’s a bit of hedging at the end:

We are also investigating a more permanent solution that allows our users to remain secure as well as minimize disruption to existing user experience. We’ll provide updates on this in the coming days. Thank you for your patience.

There are three workarounds listed in Freya’s post: Stop using HTML to wrap XLS files, unblock access to individual files, or add the source of the files to the Trusted Locations list in Excel.

Predictably, developers are not happy about these options. Nor are they happy about getting blindsided with an unannounced feature change that went unexplained for more than a week.

From a developer’s point of view, they are being blamed by customers for a bug that’s beyond their control. A technique that worked for many years suddenly stopped working, with no warning and a week-late explanation. Having your customers open up a blank workbook does not exactly inspire confidence.