Excel 2016 can no longer load add-ins after Nov. 2024 update KB5002653

[German]On November 12, 2024, Microsoft released the security update KB5002653 for Microsoft Excel 2016 (MSI version) to close various vulnerabilities. After installing the update, add-ins can no longer be loaded.


Advertising

Update KB5002653 for Microsoft Excel 2016

I mentioned it briefly in the blog post Patchday: Microsoft Office Updates (November 12, 2024). Microsoft has released the security update KB5002653 for Microsoft Excel 2016 (MSI version) on November 12, 2024.

This security update is intended to close the Remote Code Execution vulnerabilities CVE-2024-49026 (Improper Neutralization of Special Elements used in a Command ('Command Injection')), CVE-2024-49027 (Use After Free, CVSS 3.1 Score 7.8), CVE-2024-49028 (Out-of-bounds Read), CVE-2024-49029 (Use of Uninitialized Resource) und CVE-2024-49030 (Heap-based Buffer Overflow). All of the RCE vulnerabilities were rated as important with a CVSS 3.1 score of 7.8.
The vulnerabilities can also be found in the Click-2-Run versions of Microsoft Excel and were closed there with the updates from November 12, 2024.

Excel 2016 can no longer load add-ins

A blog reader contacted me by email on November 13, 2024 and noted that after installing the KB5002653 update, no add-ins are loaded when Excel is started (I mentioned this in the article Patchday: Microsoft Office Updates (November 12, 2024)). However, this does not seem to be an isolated case.

Analyzing this error

In this comment, German blog reader kheldorn reports the same error. Since installing the Office updates for Office 2016, he has also noticed problems with add-ins loading. The reader looked in the Event Viewer under "Microsoft Office Alerts" under "Applications and Services Logs". For example, Excel tries to load the file:

"C:\Users\username\AppData\Roaming\Microsoft\AddIns\LASSIST.XLA"

although this was actually named "VLASSIST.XLA". This can be seen in entries found in the Event Viewer:


Advertising

Microsoft Excel

Wir konnten 'C:\Users\username\AppData\Roaming\Microsoft\AddIns\LASSIST.XLA' nicht finden. Wurde das Objekt vielleicht verschoben, umbenannt oder gelöscht?

P1: 100202
P2: 16.0.5474.1000
P3:
P4:

The reader has found out that manually removing the wrong add-in entry and then adding the add-in again temporarily fixes the problem. The add-in can be reloaded and then works for a short time.

There are workarounds

After restarting Excel 2016, however, the error is there again, the add-in cannot be loaded because it is being searched for with the wrong file name. If you rename the file to "LASSIST.XLA", for example, Excel 2016 loads the add-in correctly as long as it is included with the name "VLASSIST.XLA". This is probably the better option than uninstalling update KB5002653.

There is a 2nd workaround, if the drive letter in the path to the add-in is cut off. German reader viebrix has outlined a workaround. Simply connect the drive with double letters as a network drive and register the add-in there. Then the first letter is removed by the bug and the add-in can be loaded again.

There is also a 3rd workaround via a registry entry. It should also be possible to adjust the path to the add-in in the registry. There is a user-defined setting under:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\office\16.0\excel\options

German blog reader MB has described this workaround in this German comment – I can't say whether it always works (as outlined here) – the problem is that it no longer works when Microsoft rolls out a fix.

Reports on reddit.com and MS Answers

The bug is affecting more users. Blog reader kheldorn pointed in a comment to the reddit.com post Office addins broken after updates ?, where another user reports this error in Microsoft Excel 2016 and asks if anyone else is affected. There kheldorn has added his findings above.

There is a second reddit.com post KB5002653 breaks Excel xla & xlam add-ins, where this error pattern is also described. The thread starter notes that when testing KB5002653 (security update for Excel 2016), it was found that loading xla(m) Excel add-ins is broken. Excel does not load the add-ins because the first character of the path to the add-ins file is truncated. This leads to the add-in file not being found. Thanks to kheldorn for the hint.

Addendum: After publishing this blog post, I've found also a thread Unable to run Excel Add-ins after (KB5002653) latest patch on Microsoft Asnwers.

Microsoft confirms the bug

According to this German comment from reader kheldorn Microsoft ha confirmed the bug in the support article Description of the security update for Excel 2016: November 12, 2024 (KB5002653) in the "Known issues" sections.

After you install this update, Excel add-ins that were enabled the last time you used Excel may not load properly when you open Excel.

The workaround Microsoft is proposing: To work around this issue, open the add-ins manually by double-clicking them or selecting File > Open.

Addendum: An update to fix this bug has been released (see Update KB4484305: Fix for Excel 2016 add-in loading bug.

Similar articles:
Microsoft Security Update Summary (November 12, 2024)
Patchday: Windows 10/Server Updates (November 12, 2024)
Patchday: Windows 11/Server 2022 Updates (November 12, 2024)
Patchday: Windows Server 2012 / R2 and Windows 7 (November 12, 2024)
Patchday: Microsoft Office Updates (November 12, 2024)


Advertising

This entry was posted in issue, Office, Software, Update and tagged , , , , . Bookmark the permalink.

2 Responses to Excel 2016 can no longer load add-ins after Nov. 2024 update KB5002653

  1. Mika says:

    Has the issue been solved? the workarounds are partially effective

  2. Nguyen Vuong_Vn_VSK says:

    November 19, 2024, update for Excel 2016 (KB4484305)
    Bản cập nhật này đã sửa được lỗi

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).