MS16-148: Description of the security update for Excel 2016: December 13, 2016

Applies to: Excel 2016


This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see Microsoft Security Bulletin MS16-148.

Note To apply this security update, you must have the release version of Excel 2016 installed on the computer.

For a complete list of affected versions of Microsoft Office software, see Microsoft Knowledge Base article 3204068.

Improvements and fixes

This security update contains improvements and fixes for the following nonsecurity issues:
  • Improve performance of rendering the custom filter list of items when the list contains long strings.
  • When you use Microsoft Excel 2016 with a printer that is added on the computer or that is accessible in a remote session, Excel 2016 crashes.
  • When you do a find-and-replace operation by using the clipboard marquee, you experience slow performance.
  • When you switch single document interface (SDI) windows and select sheets in Excel 2016, Excel crashes.
  • Excel 2016 silently fails to complete loading a workbook. When this happens, the workbook may be functional, but you may be unable to save it.
  • When you try to load HTML documents that contain <input/> tags in the protected view, you receive a corrupted file alert, and the documents can't be opened.
  • It takes a long time to paste filtered selection data from large tables.
  • When an add-in or macro code tries to access a property on a shape control that no longer exists, Excel 2016 may crash. This update returns an error status instead of crashing.
  • You may fail to load the Solver Add-in.
  • This update makes handling of click events on embedded content more secure.
After you install the update, when you try to open an .XLW file from an untrusted location, you will receive the following failure alerts message, and the file can't be opened:
We found a problem with some content in <file_name>.xlw. Do you want us to try to recover as much as we can? If you trust the source of this workbook, click Yes.
You can unblock this file or put the file to a trusted location by using the following steps.

Unblock access for individual files

To unblock access for individual files that you know are safe, follow these steps:
  1. Right-click the file, and then select Properties.
  2. On the General tab, select Unblock.
  3. Click OK.

Use Trusted Locations

To use the existing Trusted Locations capabilities of Excel 2016, 2013, and 2010, follow these steps:
  1. Access the Trusted Locations feature. To do this, select File > Options > Trust Center > Trust Center Settings > Trusted Locations.
  2. Save the HTML file to a trusted location on the local computer. (Excel provides a set of default trust locations.) If there is no trusted local folder location listed, select Add new location, and then add the location in the Trusted Location dialog box.
The following guidelines apply to the Trusted Locations feature:
  • If the XLW document is in a trusted location, the Knowledge Base fix is not applied (that is, the unsafe XLW file is not blocked).
  • To help prevent Internet Explorer from tagging files as untrusted, add the source website from which you download the files as a trusted site in the browser. To do this, select Tools > Internet Options > Security > Trusted sites.
  • Using Trusted Locations can unblock you. However, it also creates some risks. This is because files of any file type that are listed in Trusted Locations are fully trusted. An attacker who can add files to the trusted location can easily exploit users who open such documents. Therefore, you should be especially cautious when you specify a custom folder as a trusted location.

How to get and install the update

Method 1: Microsoft Update 

This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see Windows Update: FAQ.

Method 2: Microsoft Update Catalog

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

Method 3: Microsoft Download Center

You can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.

More Information

Security update deployment information

For deployment information about this update, see Microsoft Knowledge Base article 3204068.

Security update replacement information

This security update replaces previously released security update 3127904.

File hash information

Package NamePackage Hash SHA 1Package Hash SHA 2