Recently, Microsoft issued a series of updates to tighten security around the handling of certain file types, updates that are impacting Developers and End-Users alike. In the past, opening a downloaded Excel (.XLS) file may have presented you with a security warning that there was a mismatch between the file format and file extension. Clicking “Yes” to proceed with opening the file still allowed you full access to the file’s contents.
While the message was never convenient, it was a small price to pay to have access to data and reports from various sites and applications. With Microsoft’s security updates, that warning no longer appears as the content is blocked outright. Additionally, no context is provided by the behavior, presenting the user with what appears to be an empty file and no explanation about how to access their information. Understandably, the easy assumption to make would be that the site or app failed to export the data properly. This presents developers and support personnel with the task of having to explain Microsoft’s unexpected change in course.
Freya, a representative for the Microsoft Office Newsroom, responded to a TechNet post regarding the change. She acknowledged the lack of context behind the blocked files, apologizing for the absence of actionable information for End-Users. She also identified the specific updates that caused the issue and provided more information and workaround options. Three options were listed and, per Freya, “[…] are in order from safest to riskiest.” Issuetrak does not advocate for any measures that reduce client security and highly recommend working with your IT Department before proceeding with any of the options provided.
The first two workarounds involve changes in Developer and End-User behavior. On the development side, Freya suggests moving away from using HTML to wrap .XLS files. Doing so would result in files being provided without formatting, which can impact both the usability and branding of the downloaded reports. For End-Users, the suggestion is to unblock the individual files after downloading, which can be accomplished by right-clicking, choosing properties, and clicking “Unblock” on the General Tab. While this allows the content to display, it is not a streamlined End-User experience.
The final workaround involves downloading the file(s) to an existing Trusted Location as identified within Excel 2010, 2013, and 2016, or to first add a Trusted Location and download the file(s) to this folder on your local machine. Theoretically, files opened from this location should function normally; however, multiple respondents to Freya’s post have attempted this step and found it to be unsuccessful. Furthermore, the addition of a local folder to the Trusted Locations list represents a fairly dramatic reduction in security. As Freya is right to point out, “If an attacker can drop files into the trusted location they can easily exploit users who open such documents. Be especially cautious when specifying a custom folder as a trusted location.”
Other than the above, the most important piece of her response pertains to the future: “We are also investigating a more permanent solution that allows our users to remain secure as well as minimize disruption to existing user experience. We’ll provide updates on this in the coming days.” While it is reassuring that Microsoft intends to address the concern, it is important to note that there was no mention of rolling back the changes, meaning we should expect this behavior to remain in place.
For Issuetrak users, we have a Knowledge Base (KB) article that addresses the change with two additional workarounds that have been demonstrated successfully. As mentioned previously, we do not advocate any measures that reduce security and highly recommend working with your IT Department on any workarounds. The first approach would require your Issuetrak site be added to the list of Trusted Sites under Internet Options. The second option is to disable Protected View for files originating from the Internet within Microsoft Excel. As we work on the continual improvement of the Issuetrak application, we’ll be investigating ways to address this problem directly.
For more information about the updates and workarounds, here are various resources that discuss the changes, including the response from Freya.