It's raining patches. This week we've seen a barrage of updates to Windows 10 (pick your flavor), nine security bulletins, 28 security patches for Office, and a killer patch for Windows Journal on Win10. Combined that with last week's 40-odd Office non-security patches, which won't be available on WSUS until Aug. 16, the same date that the Anniversary Update, version 1607, rolls out on WSUS. There should be a big black mark on every admin's calendar for Aug. 16. It's a good day to plan to be out sick.
I figure we have enough patching fodder this month for two thick novels. I also think Microsoft's in cahoots with the U.S. Labor Department, trying to pump up system admin employment figures for the August jobs report.
Buried in this mountain of 63 individual patches and voluminous Click-to-Run changes is one very good development for Excel users.
Last month's buggy Excel patches, KB 3115322 (Security update for Excel 2010) and KB 3115262 (Security update for Excel 2013), have been fixed, at least in part. Since I wrote about them last month, I've received confirmation that the bug also affects Excel 2016 and both Office 365 for 2016 and Office 365 for 2013. It's a grand slam for all versions of Excel released since the turn of the decade. Every one of them was broken by the patches last month.
Once you install last month's patches for any of those versions of Excel (or they're installed for you as part of the Click-to-Run nastiness), Excel changes the way it opens HTML or XLA files that have an XLS extension. Microsoft employee Freya explained:
The Excel team has made a change in the behavior of certain file types to increase security. This change came in the security updates KB3115262, KB3170008, and KB3115322. Previously, when you tried to open an HTML or XLA file with an .XLS file extension from an untrusted location, Excel would warn about the mismatch between the file extension and content, but would still open the workbook without Protected View security. After the security updates Excel no longer will open the workbook because these files are not compatible with Protected View and there is no warning or other indication it was not opened. We apologize that Excel is showing a blank screen instead of a more helpful error message with information about what to do next.
Microsoft implemented these, uh, security improvements without warning anybody, and Freya's revelation didn't appear until nine days after the change took place. Excel developers and many admins were livid as the unannounced change broke data exporting from many big-name packages -- includingMicrosoft's own Dynamics CRM.
The patches released this week solve the problem for HTML files masquerading as XLS, but they don't solve the problem for XLA or XLAM files (which, as Excel Add-in files, appear to be much less of a nuisance). Here's Freya's news:
The Excel team has released a change in HTML/XLS file behavior in today's security update for Excel 2010, 2013, and 2016. Excel will warn about the mismatch between the file extension and HTML content, but will now open the workbook in Protected View as an additional layer of security. If you trust the workbook, you can then enable editing.
To my way of thinking, that's how it should've been implemented in the first place, and Microsoft should've warned Excel users about the impending change, months in advance.
The fix should show up in Office 365 for 2016 (build 16.0.7070.2036) and Office 365 for 2013 (build 15.0.4849.1003) -- for those of you stuck with Click-to-Run -- and in individual patches KB 3115438 (for Excel 2016), KB 3115455 (for Excel 2013), and KB 3115476 (for Excel 2010). Those last three patches won't be out for corporate distribution, via WSUS, until Aug. 16, although you may be able to install them manually.
Office 365 Click-to-Run versions have had a bad buggy streak. In December, Office 365 Click-to-Run wiped out Word macros and customizations. In February, we had a Click-to-Run bug that froze documents as soon as they were opened, and a second CtR bug that knocked out POP3 communication badly enough to delete emails. In April, Office 2013 CtR started crashing Lync (Skype for Business) and Outlook. In June, it was a bug that kept Office apps from opening, throwing an error 30145-4.