Blog

On July 12th, 2016 Microsoft pushed out a large security patch (MS16-088) that prevents HTML wrapped dynamically generated .XLS files created by ColdFusion from being opened in Excel 2010, 2013 and 2016. 

Previous to the security update Excel would prompt the user to confirm that they wished to open a file from an untrusted location. After the security update Excel opens to a blank screen with no warning dialog or explanation of why the file did not open. 

This issue doesn’t only impact .XLS files created by ColdFusion. It appears that it affects other platforms including large players like Salesforce.

The official Microsoft Excel Support site recommends 3 possible workarounds.  

1. Stop using HTML wrapped .XLS files.  ( Really… That will go over well with clients…) 

2. Individually unblock each file before opening it in the Properties dialogue. 

3. Create a “Trusted Locations” folder in Excel to open the file from.  

Needless to say this has already caused some urgent calls from customers demanding an explanation. From their perspective nothing has changed. It can be tough to explain the situation to clients, when as a developer you have no control over the root cause, and the client places the blame in your direction. 

One workaround not mentioned in the Microsoft Support site is to ditch Microsoft Excel and use OpenOffice to open the .XLS files. ( It works just fine.) 

OpenOffice is the short term solution I am offering up to my clients that aren’t happy with the situation.   

Another possible workaround, which I will try later on today, is to generate a .CSV file instead of a .XLS file and see if Excel will open it. 

*Update 12/27/16

Thanks to Steven Neilanf for confirming that .CSV files will open and for the suggestion to use 

cfsimplicity's poi library  as a possible server side solution.