Please note javascript is required for full website functionality.


Buggin' Out #4: HTML Files with .xls

7 August 2016

Microsoft updates means new and improved features, but it also means the odd bug slipping through. In this incidental series we cover some of the recent known issues that have cropped up and how to fix and / or circumvent them.

HTML Files with .xls

Users have reported that HTML files with .xls extensions are not opening outside Protected View in Excel 2010, 2013 or 2016.

In order to increase security, the behaviour of certain file types has been changed. These changes have emanated from security updates KB3115262, KB3170008 and KB3115322. The security update changed how Excel handles documents that are opened from untrusted locations (such the Internet zone) which are not supported in Protected View, such as HTML, xml and xla files. Opening these documents without Protected View is seen as a security vulnerability and therefore files open from such locations have now been blocked.

Therefore, users will need to manually trust the file before they open them in Excel. Excel can still open these files without an issue if they are trusted. It would be nice though if Excel displayed a more helpful error message with information about what to do next rather than showing a blank screen.

Microsoft strongly recommends against removing the security updates. These actions will leave your systems vulnerable. More information is located here. In particular, please refer to the section regarding "Microsoft Office Security Feature Bypass Vulnerability – CVE-2016-3279" if this affects you.

As workarounds, the best option is to move away from using HTML wrapped as an .xls document. If you use native formats (e.g. xls, xlsx, xlsb) which will open in protected view when untrusted, this will provide some level of protection from the documents being opened.

Otherwise, you can unblock access for individual files you know are safe. To do this

  • Right-click the file, and choose Properties
  • On the General tab, click Unblock
  • Click OK.

Alternatively, you can make use of existing Trusted Locations capabilities in Excel 2010, 2013 and 2016 via File > Options > Trust Center > Trust Center Settings > Trusted Locations.

You can save the web html file to a trusted location on the local machine (Excel comes with a set of default trust locations). If you do not see the local folder location you trust for these files, then press “Add new location…” button and add it in the Trusted Location dialog. If the HTML document is in a trusted location the KB fix is not applied (e.g. the unsafe HTML file is not blocked).

This approach may unblock you, but it carries some risk as files of any file type in Trusted Locations are fully trusted. If an attacker can drop files into the trusted location they can easily exploit users who open such documents. Be especially cautious when specifying a custom folder as a trusted location.

There are further resources on implementing workaround options, by product version:

Office 2016

Office Trusted Locations

Protected View Settings

Office 2013

Office Trusted Locations

Protected View Settings

Office 2010

Office Trusted Locations

Protected View Settings

We will report on other bug fixes and workarounds as and when necessary. Hopefully, this will not be too regular a feature!! In the meantime, if you experience any Excel issues and require help, do feel free to drop us a line at - we can't promise to answer every question, but we'll try our best.