External Link Security Broken in Excel

miqrogroove
2019-08-02T14:17:26+00:00

Excel Security Warning About Linked Workbooks

After linking two local Excel files by a simple reference to a cell in another workbook, I began seeing an ominous error:

SECURITY WARNING  Links to external sources could be unsafe. If you trust the links, click Update. Click for more details.

This behavior was observed in version 1907 of Excel from the Office 365 software package.

Warnings of this nature should be taken seriously.  In this case, however, the message has been seriously mislabeled.  Clicking into the details brings up an ancient Help page for Excel 2007.  Searching for similar situations online brings up some misleading instructions.

If you are experiencing the situation described above, continue reading below for a simple workaround and more background information.

Disable the Startup Prompt for Link Updates

The intent of the program is to give you some control over the timing of workbook link updates.  In many cases, it is better to allow these links updates to happen automatically every time you open the file.

Step 1. The Edit Links Button

After opening the affected file, click on the Data tab of the menu ribbon.  Look for the Edit Links button, as shown in the screenshot above.

Step 2. The Startup Prompt Button

In the Edit Links dialog, you may see that the only option is Automatic Update.  Click on the Startup Prompt button to configure the automatic update.

Step 3. Set Automatic Update with No Alert

In the Startup Prompt dialog, the default setting is “Let users choose to display the alert or not.”  As far as I know, this means Display a Security Warning.  Well, could that be a bug?  Let’s change it.  What you need to do here is select the last option, “Don’t display the alert and update links.”

Broken Security Settings

The logical place to go for help with this problem should have been, but isn’t, the Microsoft article, Block or unblock external content in Office documents.  The article points to a menu deep in the Trust Center dialog boxes that specifically enables and disables prompts for automatic updates of Workbook Links.

Except it doesn’t work.

In my testing, the Trust Center settings had absolutely no effect on the appearance or disappearance of the Startup Prompt, or bogus Security Warning as it were.

While there are certainly some security considerations to be made when dealing with file links, the fact that the warning is completely disconnected from what looks like the security configuration system causes me to assume that the warning is either not security related, or that this part of the security system is totally broken.

To test the idea that Excel security might be broken, I performed the following steps:

  1. Configured the destination file as described above.
  2. In the Trust Center, I selected the option, “Disable automatic update of Workbook Links.”
  3. Saved and closed all files.
  4. Opened the source file, modified the data, saved and closed the file.
  5. Closed and re-started Excel to ensure all new settings are effective.
  6. Opened the destination file and observed the linked data.

Result: Excel updated the Workbook Links without prompting and without displaying any warning.

This appears to be a contradiction of the meaning of the Trust Center configuration, its documentation, and common sense security practices.  I can only speculate that these settings are always overridden by the Trusted Documents subsystem and its “Enable Content” button.  Perhaps Microsoft should consider changing this behavior so that the Trusted Documents list is always cleared after any change to the Trust Center configuration.

Having said that, I will point out again that in its default configuration, Excel throws a security warning anyway.

2 Aug 2019

Category:
Security

Tags:

Discuss:
Comments Go Here

Write a Comment