[German]On May 13, 2025 (second Tuesday of the month, Microsoft Patchday), Microsoft released several security-related updates for Microsoft Office 2016, as well as the C2R variants (Office 2016-2021 and 365) and other products. In the meantime, I have received some reader feedback on problems. Excel can't load documents with filenames, containing leading square brackets [..].
Microsoft Office updates (May 13, 2025)
An overview of the updates can be found on this website (and here for this month). I have published a brief overview of the relevant updates in the article Patchday: Microsoft Office Updates (May 13, 2025). Details on the respective updates are documented in the linked KB articles..
Can't open Excel documents with leading [..] in file name
German blog reader Dennis F. contacted me by email on May 23, 2025 because he had delayed the May 2025 update and now had installed the patches. He wrote that "after yesterday's installation of updates", some Excel documents could no longer be opened. This affects Excel documents whose names begin with a square bracket. The rest of the file name is then cut off and the document cannot be found for opening.
He wrote: "We have not tested whether the behavior also occurs when the bracketing is within the file name. It is also unclear whether other Office applications such as Word are affected."
According to the reader, it is also not clear whether this issue is caused by a Windows or Office update. After I've published the German edition of this blog post yesterday, several German blog reader came back with the feedback, that they are facing the same issue.
The issue thing reminds me of the problem described in the article Excel 2016 can no longer load add-ins after Nov. 2024 update KB5002653, where file names for add-ins were garbled. However, this bug has been fixed (see Update KB4484305: Fix for Excel 2016 add-in loading bug).
Is it a security issue?
Within the comments to the German edition of this blog post, someone pointed out a not so amusing observation. If there are two files available:
[Test]anyFileName.xlsx
Test.xlsx
the file Test.xlsx will be opened when the user tries to open [Test]anyFileName.xlsx. Could be a security risk, if an attacker tries to masquerade a bad approach like this:
[badFile]goodFile.xlsx
badFile.xlsx
in the same folder. If badFile.xlsx has a hidden file attribute, it can't bee seen from a user with default settings. While .exe files can't be loaded that way, other file types that can be opened in Excel via the above trick. With:
[test.jpg]Billing.xlsx
an untitled Excel file with a macro shows a trust warning. But if the user clicks Yes, the file will be opened.
Similar articles:
Microsoft Security Update Summary (May 13, 2025)
Patchday: Windows 10/11 Updates (May 13, 2025)
Patchday: Windows Server-Updates (May 13, 2025)
Patchday: Microsoft Office Updates (May 13, 2025)
I confirm having the issue with Windows 11 24H2 build 26100.4061 (may updates) and Excel 365 Version 2504 Build 16.0.18730.20186 64 bits.
Issue still present with the newest update of Office 365 Version 2505 Build 16.0.18827.20102 64 bits.
Could not recreate the problem with Windows 10 Version 22H2 with May 2025 update and Office 2016 32-bit MSI with may 2025 updates.
Problem partly fixed with Office 365 Version 2505 (Build 18827.20164). What's different is now the file opens without any error but in protected mode. It doesn't matter if the file has a MotW or not.