[German]On November 12, 2024, Microsoft released the security update KB5002653 for Microsoft Excel 2016 (MSI version) to close various vulnerabilities. After installing the update, add-ins can no longer be loaded.
Advertising
Update KB5002653 for Microsoft Excel 2016
I mentioned it briefly in the blog post Patchday: Microsoft Office Updates (November 12, 2024). Microsoft has released the security update KB5002653 for Microsoft Excel 2016 (MSI version) on November 12, 2024.
This security update is intended to close the Remote Code Execution vulnerabilities CVE-2024-49026 (Improper Neutralization of Special Elements used in a Command ('Command Injection')), CVE-2024-49027 (Use After Free, CVSS 3.1 Score 7.8), CVE-2024-49028 (Out-of-bounds Read), CVE-2024-49029 (Use of Uninitialized Resource) und CVE-2024-49030 (Heap-based Buffer Overflow). All of the RCE vulnerabilities were rated as important with a CVSS 3.1 score of 7.8.
The vulnerabilities can also be found in the Click-2-Run versions of Microsoft Excel and were closed there with the updates from November 12, 2024.
Excel 2016 can no longer load add-ins
A blog reader contacted me by email on November 13, 2024 and noted that after installing the KB5002653 update, no add-ins are loaded when Excel is started (I mentioned this in the article Patchday: Microsoft Office Updates (November 12, 2024)). However, this does not seem to be an isolated case.
Analyzing this error
In this comment, German blog reader kheldorn reports the same error. Since installing the Office updates for Office 2016, he has also noticed problems with add-ins loading. The reader looked in the Event Viewer under "Microsoft Office Alerts" under "Applications and Services Logs". For example, Excel tries to load the file:
"C:\Users\username\AppData\Roaming\Microsoft\AddIns\LASSIST.XLA"
although this was actually named "VLASSIST.XLA". This can be seen in entries found in the Event Viewer:
Advertising
Microsoft Excel Wir konnten 'C:\Users\username\AppData\Roaming\Microsoft\AddIns\LASSIST.XLA' nicht finden. Wurde das Objekt vielleicht verschoben, umbenannt oder gelöscht? P1: 100202 P2: 16.0.5474.1000 P3: P4:
The reader has found out that manually removing the wrong add-in entry and then adding the add-in again temporarily fixes the problem. The add-in can be reloaded and then works for a short time.
There is a workaround
After restarting Excel 2016, however, the error is there again, the add-in cannot be loaded because it is being searched for with the wrong file name. If you rename the file to "LASSIST.XLA", for example, Excel 2016 loads the add-in correctly as long as it is included with the name "VLASSIST.XLA". This is probably the better option than uninstalling update KB5002653.
Reports on reddit.com and MS Answers
The bug is affecting more users. Blog reader kheldorn pointed in a comment to the reddit.com post Office addins broken after updates ?, where another user reports this error in Microsoft Excel 2016 and asks if anyone else is affected. There kheldorn has added his findings above.
There is a second reddit.com post KB5002653 breaks Excel xla & xlam add-ins,
where this error pattern is also described. The thread starter notes that when testing KB5002653 (security update for Excel 2016), it was found that loading xla(m) Excel add-ins is broken. Excel does not load the add-ins because the first character of the path to the add-ins file is truncated. This leads to the add-in file not being found. Thanks to kheldorn for the hint.
Addendum: After publishing this blog post, I've found also a thread Unable to run Excel Add-ins after (KB5002653) latest patch on Microsoft Asnwers.
Microsoft confirms the bug
According to this German comment from reader kheldorn Microsoft ha confirmed the bug in the support article Description of the security update for Excel 2016: November 12, 2024 (KB5002653) in the "Known issues" sections.
After you install this update, Excel add-ins that were enabled the last time you used Excel may not load properly when you open Excel.
The workaround Microsoft is proposing: To work around this issue, open the add-ins manually by double-clicking them or selecting File > Open.
Similar articles:
Microsoft Security Update Summary (November 12, 2024)
Patchday: Windows 10/Server Updates (November 12, 2024)
Patchday: Windows 11/Server 2022 Updates (November 12, 2024)
Patchday: Windows Server 2012 / R2 and Windows 7 (November 12, 2024)
Patchday: Microsoft Office Updates (November 12, 2024)
Advertising