none
KB3170008 for Office 2016 Breaks Functionality - MS16-088 RRS feed

  • Question

  • We dynamically generate various reports in HTML format and serve them up on a website.  We give users the option to download these reports as Excel (XLS) files.

    Normally, when users open these files Excel properly handles the data - they're simply HTML tables.
    Excel displays a warning message that the file format and extension don't match (HTML table and XLS), but allows the user to open the file anyway.

    Today, users reported that these reports no longer work.  The issue appears to be caused by yesterday's patch - KB3170008.

    https://technet.microsoft.com/library/security/MS16-088
    https://support.microsoft.com/en-us/kb/3170008

    When opening one of these files, Excel will act as if no file is open.
    Users can save the file, then right click it, click Properties, and then click Unblock next to the "This file came from another computer and might be blocked to hlp protect this computer." warning.  After doing this, the file can be opened as before (with the warning about the file extension and formatting not matching).

    I've tried adding the location of the file (my desktop) to the list of trusted locations in the Trust Center within Office, but this doesn't change anything.  I've also reviewed all the Trust Center settings.  The only thing that has an effect is manually going to each file and clicking "Unblock" on the Properties dialog.

    To replicate:

    Create a new text file with the following contents:

    <HTML>
      <BODY>
        <TABLE>
          <TR>
            <TD>1</TD>
            <TD>2</TD>
            <TD>3</TD>
          </TR>
          <TR>
            <TD>A</TD>
            <TD>B</TD>
            <TD>C</TD>
          </TR>
        </TABLE>
      </BODY>
    </HTML>

    Save the text file as test.xls (and make sure it's not test.xls.txt).

    Open text.xls in Excel.

    Result:  Excel opens with a warning dialog, and clicking "Yes" results in the file opening with a basic table laid out across 2 rows and 3 columns.

    Next, save the text file to somewhere on the web and then redownload it to a drive supporting NTFS alternate data streams (a typical Windows XP/7/Vista/8/8.1/10 installation will do).  Open this file in Excel.

    Result:  Excel opens but acts as if no file has been loaded at all. You don't get a warning dialog about the file extension and formatting not matching, and you don't get a warning about Protected View or enabling editing.  You cannot view the file.

    Finally, right click the downloaded copy of the file and click Properties.  Then click "Unblock" at the bottom right and click OK.  Open the file in Excel again.

    Result:  Excel opens with a warning dialog, and clicking "Yes" results in the file opening with a basic table laid out across 2 rows and 3 columns.

    Is this behavior change due to KB3170008 intended?  If so, is it documented anywhere?  I couldn't find any mention of it in the bulletin.  Is there a way to revert this behavior?


    • Edited by conker123 Thursday, July 14, 2016 12:14 AM
    Thursday, July 14, 2016 12:12 AM

Answers

  • The Excel team has released a change in HTML/XLS file behavior in today’s security update for Excel 2010, 2013, and 2016. Excel will warn about the mismatch between the file extension and HTML content, but will now open the workbook in Protected View as an additional layer of security. If you trust the workbook, you can then enable editing. XLA and XLAM files are not part of this change, they will continue to not open in Excel.

    How do I get the update? It depends on which version of Office you have.

    Issue recap:

    The Excel team has made a change in the behavior of certain file types to increase security. This change came in the security updates KB3115262, KB3170008, and KB3115322. Previously, when you tried to open an HTML, XLA, or XLAM file with an .XLS file extension from an untrusted location, Excel would warn about the mismatch between the file extension and content, but would still open the workbook without Protected View security. After the security updates Excel no longer will open the workbook because these files are not compatible with Protected View and there is no warning or other indication it was not opened.

    Workarounds for .xla and .xlam files: https://support.microsoft.com/kb/3181507

    Thank you for your patience and input—community suggestions drove our decision to change this behavior in a way we hope will be much better for your workflows!

    • Proposed as answer by Freya [MSFT] Tuesday, August 9, 2016 5:25 PM
    • Marked as answer by conker123 Thursday, August 11, 2016 7:04 PM
    Tuesday, August 9, 2016 5:25 PM
  • Update: Our dev team is working on options to preserve security and assist customers with their workflow. Currently we do not have any further workarounds.

     

    Additional background: The security update changed how Excel handles documents that are opened from untrusted locations (such the Internet zone) which are not supported in Protected View, such as HTML/XML/XLA files. Opening them without Protected View is a security vulnerability, and therefore files open from such locations are now blocked.  We realize this breaks compatibility with some existing solutions, and are working on getting these file types supported with Protected View.  Until that happens, users will need to manually trust the file before they open them in Excel, as demonstrated in one of the workaround suggestions.  Excel can still open these files without an issue if they are trusted. 

     

    We strongly recommend against removing the security update. It will leave your systems vulnerable. More information is located here: https://technet.microsoft.com/library/security/MS16-088?f=255&MSPPError=-2147217396. Specifically, the section regarding "Microsoft Office Security Feature Bypass Vulnerability – CVE-2016-3279".

     

    Additional information on implementing workaround options, by product version:

    Office 2016

    Here is information on Office Trusted Locations

    https://technet.microsoft.com/en-us/library/cc179039(v=office.16).aspx

    and information on Protected View settings

    https://technet.microsoft.com/en-us/library/ee857087(v=office.16).aspx

     

    Office 2013

    Here is information on Office Trusted Locations

    https://technet.microsoft.com/en-us/library/cc179039(v=office.15).aspx

    and information on Protected View settings

    https://technet.microsoft.com/en-us/library/ee857087(v=office.15).aspx

     

    Office 2010

    Here is information on Office Trusted Locations

    https://technet.microsoft.com/en-us/library/cc179039(v=office.14).aspx

    and information on Protected View settings

    https://technet.microsoft.com/en-us/library/ee857087(v=office.14).aspx

     

    Freya

    Office Newsroom

    • Proposed as answer by Freya [MSFT] Thursday, July 28, 2016 8:42 PM
    • Marked as answer by conker123 Thursday, August 11, 2016 7:04 PM
    Thursday, July 28, 2016 8:42 PM

All replies

  • After today we have this problem too.

    We have this behavior in office 2013, but not in Office 2016.

    We haven't found a solution yet.

    Thursday, July 14, 2016 9:33 AM
  • We are also hearing this today from several of our users and expect to hear from more.  The workaround we have found is to add your download folder as an Excel "trusted" location, like so:

    In Excel, go to File > Options > Trust Center, then click "Trust Center Settings".
    Click "Trusted Locations" then "Add New Location".
    Browse for your download folder (where you are saving the excel files) and press OK.
    This now adds that folder as a "trusted" location that Excel will open files from.  This should work now as it did before.

    We assume that there will be a correction for this bug from Microsoft in the near future.

    • Proposed as answer by Metry1750 Thursday, July 14, 2016 3:39 PM
    Thursday, July 14, 2016 3:37 PM
  • For us, adding the location to the list of trusted locations didn't help.

    You can test with this file (and you can view it in notepad first to make sure it's not malicious).

    http://www.filedropper.com/test_146

    • Edited by conker123 Thursday, July 14, 2016 4:20 PM
    Thursday, July 14, 2016 4:18 PM
  • We have customers that can't view reports because of this issue. Uninstalling this KB fixes it:

    KB3115262 MS16-088: Description of the security update for Excel 2013: July 12, 2016

    A estimation of when this will be fixed would be awesome.
    • Edited by Michael-116 Thursday, July 14, 2016 7:19 PM add info
    Thursday, July 14, 2016 7:17 PM
  • Does anyone know of any way to bring this to MS's attention?  All the blog posts about this update have comments disabled, I can't PM any of the official MS members, there's no way to email them, etc.
    Thursday, July 14, 2016 7:50 PM
  • We are also experiencing this issue with Office 2013 Pro Plus on win 7 x64 workstations.
    Friday, July 15, 2016 10:24 AM
  • Same here. Our customers cannot use our Excel export anymore. Very frustrating, Microsoft!
    Friday, July 15, 2016 12:55 PM
  • We have Office 2013 Pro Plus, Windows 7 Pro.

    My solution is:

    Right click the XLS file, Properties, Unblock.

    Yes, it's per file but more secure than changing a system wide setting. Also, we don't have a huge frequency of files like this so this work around is not that inconvenient.

    Cheers

    Additional: this is not an issue for the supplier of the files who is using O365
    • Edited by DT.ISA Friday, July 15, 2016 2:28 PM Further information
    Friday, July 15, 2016 2:26 PM
  • Has there been any fix on this yet? Or a solution?

    Every solution I tried from this topic and in google has not worked for me.

    Monday, July 18, 2016 8:18 AM
  • No, no fix, and no acknowledgment from MS.
    Monday, July 18, 2016 4:58 PM
  • Same here. The only thing I've got to work is to right click the downloaded copy of the file and click Properties.  Then click "Unblock" at the bottom right and click OK. 

    I would like to assume that there will be a correction for this bug from Microsoft in the near future but you never know.


    • Edited by Dyl0n Monday, July 18, 2016 9:17 PM
    Monday, July 18, 2016 9:07 PM
  • Same problem here. Have several projects that generate xls report and protect view totally blocks them. The two ways I found to temporary allow it is to either disable protected view or right click on the file and click the unblock options. Neither of these options seem feasible, is this a bug?
    Tuesday, July 19, 2016 12:15 PM
  • The Unblock method worked for me as well.

    • Edited by acoder2012 Tuesday, July 19, 2016 4:55 PM
    Tuesday, July 19, 2016 4:54 PM
  • Can confirm I'm also seeing this issue. Manually unblocking the file through the file properties will allow the file to be opened.
    Tuesday, July 19, 2016 5:30 PM
  • We see a similar issue with attempting to do an Export to Excel from MS Dynamics CRM from within Outlook.

    When you just attempt to open the file the file doesn't actually open or "open's blank" per the end-user's complaint.

    Uninstalling patch 3115262 resolves the issue temporarily, but is obviously not a good solution in the long term.
    We have not tried the Trusted Locations for this since this would be the Temp directory in this instance.

    Wednesday, July 20, 2016 2:38 PM
  • I would like to add to the din.   We use a major, third-party online timesheet application where one can download reports in Excel.   We get the exact same messages illustrated above and can only open them by manually employing the above-mentioned, cumbersome workaround of "unblocking" in file properties.
    • Edited by mttcg Wednesday, July 20, 2016 3:15 PM
    Wednesday, July 20, 2016 3:15 PM
  • We are having this issue too with hundreds of exports.

    MICROSOFT: A solution is required!

    I try to move our customers away from Microsoft since years. This stupid "fix" just proves my advice.

    Thursday, July 21, 2016 1:00 PM
  • Thanks so much for this! Our users experienced the same problem you noted and your solution has worked for your users, so far.

    Hoping that Microsoft fixes this bug ASAP.

    Thursday, July 21, 2016 7:18 PM
  • The Excel team has made a change in the behavior of certain file types to increase security. This change came in the security updates KB3115262, KB3170008, and KB3115322. Previously, when you tried to open an HTML or XLA file with an .XLS file extension from an untrusted location, Excel would warn about the mismatch between the file extension and content, but would still open the workbook without Protected View security. After the security updates Excel no longer will open the workbook because these files are not compatible with Protected View and there is no warning or other indication it was not opened. We apologize that Excel is showing a blank screen instead of a more helpful error message with information about what to do next.

     

    We have a few options for workarounds. These are in order from safest to riskiest. While some people in the forums have suggested rolling back the security patch, we do not recommend that option as it can leave you open to other current and future threats.

    1. The best option is to move away from using HTML wrapped as .xls. If you use native formats (e.g. xls, xlsx, xlsb) which will open in protected view when untrusted, this will provide some level of protection from the documents being opened.
    2. You can unblock access for individual files you know are safe. To do this:
      1. Right click on the file and choose Properties
      2. On the General tab, click Unblock
      3. Click OK
    3. You can make use of existing Trusted Locations capabilities in Excel 2010, 2013, and 2016 via File -> options -> Trust Center -> Trust Center Settings -> Trusted Locations.
      1. You can save the web html file to a trusted location on the local machine (Excel comes with a set of default trust locations). If you do not see the local folder location you trust for these files, then press “Add new location…” button and add it in the Trusted Location dialog. If the HTML document is in a trusted location the KB fix is not applied (e.g. the unsafe HTML file is not blocked).
      2. This approach may unblock you, but it carries some risk as files of any file type in Trusted Locations are fully trusted. If an attacker can drop files into the trusted location they can easily exploit users who open such documents. Be especially cautious when specifying a custom folder as a trusted location.

     

    We are also investigating a more permanent solution that allows our users to remain secure as well as minimize disruption to existing user experience. We’ll provide updates on this in the coming days. Thank you for your patience.

     

    Freya

    Office Newsroom

    • Proposed as answer by Freya [MSFT] Thursday, July 21, 2016 9:38 PM
    • Marked as answer by conker123 Friday, July 22, 2016 12:08 AM
    • Unmarked as answer by conker123 Thursday, August 11, 2016 7:04 PM
    Thursday, July 21, 2016 9:38 PM
  • Thanks, but in our instance, specifying a trusted location (the desktop) and saving files from the browser directly to the desktop did not work.

    I don't see any reason why the same functionality as before couldn't be implemented - block the file from opening but show a protected view / similar dialog alerting the user to the reason and asking if they want to unblock and open the file.

    The unblock method works, but it has to be done on the file properties dialog, and this means that when users encounter the issue, they have to know what the issue is, close Excel, go back to the web page and save the file (instead of trying to directly open it from the web), then go to the properties dialog, unblock it, close the properties dialog, and finally reopen the file.

    At a bare minimum, a message dialog should be displayed explaining why the file wasn't opened.  And if you're going to do that, it's only half a step further to add a "Open File Anyway" button to that dialog.

    • Edited by conker123 Friday, July 22, 2016 12:18 AM
    Friday, July 22, 2016 12:08 AM
  • Echoing conker:

    The provided responses are not solutions, and Freya's response can be summarized as: (1) html as xls is no longer supported, and is blocked.

    (2) - Unblocking an individual file only works if the user is an admin on the machine.

    (3) - Just wrong. Trusted locations do not change the document behavior. Still fails to open with no dialog. (Office 2016-32 bit)

    Here are my known workarounds:

    (1) User e-mails the document to themselves, opens as attachment.

    (2) Disable Excel protected view for files originating from the Internet.

    (3) Uninstall the relevant KB from the machine.

    Friday, July 22, 2016 12:20 PM
  • Hi, I work in the Excel team and will bring this to the attention of some team members, so they can look into it. Thanks. 
    Friday, July 22, 2016 4:53 PM
  • Just a heads up. This stops our organization from viewing any files exported out of the views available in Microsoft Dynamics CRM.

    And the workaround is incredibly tedious for us to use.

    Friday, July 22, 2016 9:43 PM
  • I hope that Freya's 'answer' is just a temporary workaround and not the actual long term answer.

    Here's my response to the 'answer:'
    Option 1 - Not a (timely enough) option because third party code is involved.
    Option 2 - Works but is tedious and not practical. Users are balking when we tell them to do this.
    Option 3 - Simply doesn't work as advertised. Several other posters also stated this.

    I've contacted Microsoft about this issue. My strategy is to uninstall and hide KB3115262 or KB3115272. I requested a hotfix that would allow you to install the security Updates KB3115262 or KB3115272 and restore the previous functionality which is a prompt stating: "The file format and extension of [file.xls] don't match. The file
    could be corrupted or unsafe. Unless you trust its source, don't open it. Do you want to open it anyway?"

    Hopefully Microsoft will actually provide such a hotfix.
    Monday, July 25, 2016 12:41 PM
  • Thank you for responding. We hope you add an easier notification to open the file anyways, the work arounds are definitely not a long term solution as we have hundreds of end users and generating actual xls file for dozens of projects is really not within scope of development.
    Monday, July 25, 2016 1:02 PM
  • Yeah I added the C:\ drive as a trusted location and it still did not open the excel file. The only thing that did was to navigate to trust center settings>protected view and then uncheck the box titled "Enable Protected View for files originating from the Internet".

    Tuesday, July 26, 2016 8:24 PM
  • "We are also investigating a more permanent solution that allows our users to remain secure as well as minimize disruption to existing user experience. We’ll provide updates on this in the coming days."

    Freya, any update in regards to this issue?

    Wednesday, July 27, 2016 3:02 PM
  • A workaround from the user side: if the files are all coming from a specific site, the user can add that site to the Trusted Sites zone in Internet Options. Then Excel won't try to open the file in protected view.

    This assumes, of course, that you are getting the .xls files from a site that you completely trust and know will never have a bad .xls file.

    1. Type "Internet Options" in the start menu.
    2. Go to the Security tab, select Trusted Sites, and click Sites.
    3. Enter the URL of the page from which you are downloading the .xls files and click Add.


    Turning off protected view for just one website should be safer than turning it off for the entire internet.

    Edit: There appears to be a misconception that Internet Options applies only to Internet Explorer. This is not the case. The "Security" tab is a global Windows setting and affects all browser downloads (Chrome, Opera, Firefox, etc).

    Edit 2: You must uncheck "Require server verification (https:) for all sites in this zone" to add non-https sites (not recommended).



    • Proposed as answer by Browly Wednesday, July 27, 2016 5:53 PM
    • Edited by Browly Tuesday, August 9, 2016 6:33 PM Fix html image
    Wednesday, July 27, 2016 5:37 PM
  • Absolutely working on this as a top priority. I'll let you know as soon as I have something definitive.

    Freya

    Wednesday, July 27, 2016 5:38 PM
  • Only works for https sites!
    Wednesday, July 27, 2016 6:24 PM
  • Just uncheck 'Require server verification (https:)for all sites in this zone' and then you can add http sites. This solved our problem.

    Thursday, July 28, 2016 9:39 AM
  • Update: Our dev team is working on options to preserve security and assist customers with their workflow. Currently we do not have any further workarounds.

     

    Additional background: The security update changed how Excel handles documents that are opened from untrusted locations (such the Internet zone) which are not supported in Protected View, such as HTML/XML/XLA files. Opening them without Protected View is a security vulnerability, and therefore files open from such locations are now blocked.  We realize this breaks compatibility with some existing solutions, and are working on getting these file types supported with Protected View.  Until that happens, users will need to manually trust the file before they open them in Excel, as demonstrated in one of the workaround suggestions.  Excel can still open these files without an issue if they are trusted. 

     

    We strongly recommend against removing the security update. It will leave your systems vulnerable. More information is located here: https://technet.microsoft.com/library/security/MS16-088?f=255&MSPPError=-2147217396. Specifically, the section regarding "Microsoft Office Security Feature Bypass Vulnerability – CVE-2016-3279".

     

    Additional information on implementing workaround options, by product version:

    Office 2016

    Here is information on Office Trusted Locations

    https://technet.microsoft.com/en-us/library/cc179039(v=office.16).aspx

    and information on Protected View settings

    https://technet.microsoft.com/en-us/library/ee857087(v=office.16).aspx

     

    Office 2013

    Here is information on Office Trusted Locations

    https://technet.microsoft.com/en-us/library/cc179039(v=office.15).aspx

    and information on Protected View settings

    https://technet.microsoft.com/en-us/library/ee857087(v=office.15).aspx

     

    Office 2010

    Here is information on Office Trusted Locations

    https://technet.microsoft.com/en-us/library/cc179039(v=office.14).aspx

    and information on Protected View settings

    https://technet.microsoft.com/en-us/library/ee857087(v=office.14).aspx

     

    Freya

    Office Newsroom

    • Proposed as answer by Freya [MSFT] Thursday, July 28, 2016 8:42 PM
    • Marked as answer by conker123 Thursday, August 11, 2016 7:04 PM
    Thursday, July 28, 2016 8:42 PM
  • Add your network share or DFS root server to "Trusted sites' in Internet Explorer via GPO:

    Policies
      Administrative Templates
        Windows Components
          Internet Explorer
            Internet Control Panel
              Security Page
               Site to Zone Assignment List
    This solution also works for network file shares both UNC and DFS




    • Edited by xander_cage Friday, July 29, 2016 1:00 PM
    • Proposed as answer by xander_cage Friday, July 29, 2016 1:01 PM
    Friday, July 29, 2016 12:54 PM
  • As far as I am concerned, this issue still isn't resolved.

    Option 1: change code - Not a (timely enough) option because third party code is involved.
    Option 2: Unblocking files - Works but is tedious and not practical. Users are balking when we tell them to do this. Users tell us, “Excel is broken! Fix it!” Many less savvy users do not know how to unblock an Excel file. Some users process many of these types of Excel files a day and will be extremely annoyed if they must unblock every single one.
    Option 3: Simply doesn’t work as advertised. We have sent a PSR to Microsoft that demonstrates this.

    And trusting the site in Internet Explorer doesn't help, either.

    Bottom line is users see Excel in its current state as broken and are asking us to fix it. We provide them with the three options that Microsoft has suggested. Options 1 and 2 are NOT appealing because they are either not timely enough or impractical. Option 3 would be great if it actually worked consistently.

    Users just want Excel to work like it did prior to installing these Security Patches – when users could still open these files without having to jump through hoops. At this point, we have no other choice but to leave KB3115322, KB3115262, & KB3115272 unapproved and hope for an actual hotfix that will restore prior functionality.

    Also, To Microsoft: there should be “Known issues” publicized in the above three KB articles.

    Friday, July 29, 2016 2:10 PM
  • FWIW, we found using "Save and Open" in Internet Explorer gave us a temporary workaround.  Our users would typically just click "Open" and Excel would launch, and the security prompt would show.  Choosing "save and open" essentially stores the file on the local PC which we are trusting and they get the prompt as they did before.  We still want this fixed though so our users don't have to remember this workaround forever. Please keep us informed on progress/ETA.

    Friday, July 29, 2016 5:33 PM
  • None of the workarounds are valid options for our users; all of whom are government employees and none of whom will have admin privileges on their laptops to add something as a trusted source. That would have to be pre-approved by the network manager and takes weeks if not months.
    Friday, July 29, 2016 7:31 PM
  • Is there an update on this issue? Is a hot fix still in the works? This is causing a lot of headaches for our customers. Thanks
    Tuesday, August 2, 2016 2:05 PM
  • We, too, are in need of an actual "fix", and not a kludgy workaround (that really doesn't work anyway); we have several hundred users in need of this functionality to be restored. They only have limited user accounts, so they cannot unblock the files individually (and, quite frankly, the mere suggestion that this is to be considered a "fix" is reprehensible, from an InfoSec standpoint alone); there's no way that the third party code will be changed in a timeframe acceptable to the business; and the GPO suggestion to add *anywhere* local as a trusted location is also utterly idiotic from a security standpoint. Who even did the QA on this patch? It's an epic fail, by any stretch of the imagination. I'm at the point where we could start testing rolling out LibreOffice to reclaim the lost functionality of this barely tested "security" patch - the end users are certainly "secure", from doing their jobs. -Hockey Bob
    Tuesday, August 2, 2016 3:32 PM
  • This didn't work for me. Also my users are using Chrome, Firefox and Internet Explorer so I'm pretty sure that this would only work for the ones using IE.
    Tuesday, August 2, 2016 3:37 PM
  • You could probably go to File>Options>Trust Center>Trust Center Settings>Protected View Menu and then uncheck the box "Enable Protected view for files originating from the internet". This has worked on most of the machines that I have come across on our network.
    • Proposed as answer by GarrettIT Tuesday, August 2, 2016 3:52 PM
    • Unproposed as answer by GarrettIT Thursday, August 11, 2016 12:47 PM
    Tuesday, August 2, 2016 3:39 PM
  • To echo the other users - An realistic resolution is still needed for this issue. The suggested workarounds are not workable options for us or our users. Our clients are government users who are unable to modify their trust center settings. We have hundreds of custom reports and don't have resources available to dedicate to the task of refactoring each and every one. Please advise.
    Tuesday, August 2, 2016 4:19 PM
  • Not an option - as already mentioned, removing these security settings is not realistic, nor a smart idea, especially in an environment like ours, where things are already severely restricted to begin with. Microsoft broke this - they can fix it, too, without having us have to make our machines even more vulnerable to attack.
    Tuesday, August 2, 2016 6:45 PM
  • I agree, but we can't wait for them to fix it while our end users suffer. Sorry that this workaround wasn't exactly what you were looking for. 
    Tuesday, August 2, 2016 9:48 PM
  • How can you possibly not test this when a company as big as Salesforce uses this as their primary delivery method??
    Tuesday, August 2, 2016 10:12 PM
  • This is a stupid change and breaks lots of stuff including MS own functionality in CRM 2011.
    Wednesday, August 3, 2016 1:23 PM
  • Evidently, I've touched a nerve somewhere in Redmond, as my initial post about this bungled patch was deleted. This is my shocked face; :-\

    In the interests of clarity, I'll keep this simple.

    As others have already pointed out in detail, the purported fixes being proposed are not at all feasible, nor acceptable, for our organization; due to either the inability to rewrite 3rd party code, lack of staff or other resources to repair what's been broken, security policies prohibiting rollback of required patches, or machines and user accounts locked down to the point that the users cannot make the suggested changes. Just fix it already.

    I'll check back later for updates - please leave my post up long enough for the Excel team to at least read it, before nuking it again. Thanks. -Hockey Bob

    Wednesday, August 3, 2016 7:46 PM
  • It has been 7 days since the last update.

     'Update: Our dev team is working on options to preserve security and assist customers with their workflow. Currently we do not have any further workarounds.'

    This leads me to believe something might be in the process of happening, can we get a status on this?

    All of the provided suggestions are either security risks, or not accessible for non elevated permission users, so we cannot implement them.

    Thank you,

    Aaron  

    Friday, August 5, 2016 7:26 PM
  • Does not work for HTTPS sites - none of our users can download
    Monday, August 8, 2016 3:46 PM
  • Microsoft, any updates?  Expected timeline on a fix?
    Monday, August 8, 2016 11:15 PM
  • The Excel team has released a change in HTML/XLS file behavior in today’s security update for Excel 2010, 2013, and 2016. Excel will warn about the mismatch between the file extension and HTML content, but will now open the workbook in Protected View as an additional layer of security. If you trust the workbook, you can then enable editing. XLA and XLAM files are not part of this change, they will continue to not open in Excel.

    How do I get the update? It depends on which version of Office you have.

    Issue recap:

    The Excel team has made a change in the behavior of certain file types to increase security. This change came in the security updates KB3115262, KB3170008, and KB3115322. Previously, when you tried to open an HTML, XLA, or XLAM file with an .XLS file extension from an untrusted location, Excel would warn about the mismatch between the file extension and content, but would still open the workbook without Protected View security. After the security updates Excel no longer will open the workbook because these files are not compatible with Protected View and there is no warning or other indication it was not opened.

    Workarounds for .xla and .xlam files: https://support.microsoft.com/kb/3181507

    Thank you for your patience and input—community suggestions drove our decision to change this behavior in a way we hope will be much better for your workflows!

    • Proposed as answer by Freya [MSFT] Tuesday, August 9, 2016 5:25 PM
    • Marked as answer by conker123 Thursday, August 11, 2016 7:04 PM
    Tuesday, August 9, 2016 5:25 PM
  • @GarrettIT The Internet Options are actually a global setting and apply to all browsers, not just Internet Explorer. We are using Chrome.
    • Edited by Browly Tuesday, August 9, 2016 6:24 PM specify audience
    Tuesday, August 9, 2016 6:23 PM
  • Here's a longer workaround for users without Administrative access: open the .xls in Google Sheets and then download it as a .xlsx. The downloaded .xlsx file will be in a true .xlsx format that can be opened successfully in Excel's Protected View.

    I tried doing this in Excel Online, but it couldn't open the .xls file, either. Google Sheets seems to have no trouble with it, though.

    1. Go to sheets.google.com
    2. Click "Open File Picker" (folder icon) in the upper right corner.
    3. Go to the "Upload" tab and select the .xls file that you can't open.
    4. The file opens in Google Sheets. Go to File > Download as > "Microsoft Excel (xlsx)".
    5. The downloaded .xlsx file opens in Excel Protected View just fine, even though it is still "blocked" since it originated from the internet.

    Using Google's APIs, I bet you could automate this on the Developer's side to have the file just download in .xlsx format in the first place. I haven't checked, though.

    Note that simply changing the extension from ".xls" to ".xlsx" is insufficient. Google Sheets converts the internal structure of the file from HTML-based to XML-based.
    • Edited by Browly Tuesday, August 9, 2016 6:53 PM forgot step 5
    Tuesday, August 9, 2016 6:46 PM
  • Here's a shorter workaround for users without any administrative access: change the extension to .html, open the table in your browser, then copy and paste the whole table into a blank Excel worksheet.

    1. On the "View" tab, check the box for "File Name Extensions" to display them.
    2. On the file that you can open, change the .xls at the end to .html (or just append .html on the end).display File name extensionschange xls to html
    3. Double-click the file to open it in your internet browser. A table will display. Hit Ctrl+A to select the entire table, then Ctrl+C to copy it to your clipboard.
    4. Launch Excel. Open a blank workbook, then hit Ctrl+V to paste the table into Excel. (I prefer "Keep Text Only" from the Special Paste menu, personally.)
    Tuesday, August 9, 2016 7:15 PM
  • The three new updates:
    KB3115438, KB3115455, KB3115476
    seem to be an immense help!

    One remaining question is: when will these be available in WSUS or the Microsoft Update Catalog?

    Tuesday, August 9, 2016 7:36 PM
  • Is there a reason these new updates are not available in WSUS or the Update Catalog?  Will they be added in future?
    • Edited by DaveLiveN Wednesday, August 10, 2016 8:37 AM
    Wednesday, August 10, 2016 8:34 AM

  • We cannot always trust files so its better to first convert them to actual excel format and then open them. We will also not have security issues once they are converted to excel format

    There is an open source code to convert HTML Wrapped file to Excel (xls 2003 format). You can install that and embed that service and improve on it if required as its opensource.

    https://github.com/ashwinrayaprolu1984/htmlwrapexcelconverter.

    Wednesday, August 10, 2016 4:29 PM
  • Having just applied update KB3115455 I find this:

    Open the file, Excel asks if I'm sure I want to open it. I click Yes.

    Excel reports (in a message box that unhelpfully appears behind everything else) "The file is corrupt and cannot be opened".

    If I unblock the file from its properties it will still open with no issues. It is not corrupt.

    But hey, at least I get an error message instead of a silent fail.

    Friday, August 12, 2016 10:14 AM
  • same here. getting "The file is corrupt and cannot be opened"
    • Edited by MR_IT_ Friday, August 12, 2016 2:20 PM
    Friday, August 12, 2016 2:20 PM
  • Hello,

    Have you been able to find a patch that addresses the issue?

    We've been following this very closely as we're impacted and keep getting the same messages.

    Last week MS released KB3118284 (Office 2013) which was supposed to address this issue and many others. After some heavy testing, we concluded that the attempt failed again. This happens even if the old patches are removed and just KB3118284 is installed.  And by old patches I mean KB3115262 and KB3115455.

    More info on the latest patch can be found here:

    support.microsoft.com/en-us/kb/3185852

    support.microsoft.com/en-us/kb/3118284

    Thank you so much

    AG

    Monday, September 19, 2016 10:09 PM
  • The best workaround so for that has worked well for me is below....quick and efficient.

    File>Options>Add-in> Manage Com Add-In>then uncheck the box "document security extension for Microsoft Office". and click ok.  This enabled all of the functionality that was not previously working.

    Tuesday, August 15, 2017 5:39 AM