Microsoft Office security updates may break VBA programs, how to fix

Microsoft says that some VBA programs might break after installing the security updates for the CVE-2020-0760 Microsoft Office remote code execution vulnerability released as part of the April 2020 Patch Tuesday.

Users and IT admins will notice that after installing yesterday's Microsoft Office updates some Visual Basic for Applications (VBA) references in their VBA solutions are blocked with "Compile error: Can't find project or library" errors being displayed.

According to Microsoft's advisory, VBA programs using typelibs (*.olb, *.tlb, *.dll), executable files (*.exe), and ActiveX controls (*.ocx) located on internet/intranet servers or downloaded from the internet are affected by this issue.

Microsoft provides more information on VBA object library references in this Office Dev Center reference article.

How to unblock VBA object libraries

"This is a standard message that indicates missing VBA object libraries," Microsoft explains. "If you receive this error message, revisit your current VBA solution, and replace the blocked libraries with local ones."

For Internet VBA object libraries Microsoft recommends keeping them blocked as they could render your VBA solution vulnerable to attacks.

VBA object libraries loaded from untrusted intranet locations can be unblocked by using a Group Policy setting designed to alter Microsoft Office 2016 security settings. After enabling it, VBA will treat intranet paths like local machine paths.

"You can use the regsvr32 command to register the object libraries so that they can load," Microsoft also notes.

The setting you need to enable for this is located under User Configuration > Administrative Templates > Microsoft Office 2016 > Security Settings as shown in the image below.

Previous Patch Tuesday VBA issues

This is not the first time Patch Tuesday security updates have caused issues for IT admins and users who use VBA solutions.

Last year, with the release of the August 2019 Patch Tuesday updates, Microsoft introduced another bug that could have causes Visual Basic 6 apps, VBA macros, and VBScript scripts to stop responding and to display "invalid procedure call" errors.

Two days later, Microsoft rolled out updates to fix the issue for customers using Windows 7 SP1 and Windows Server 2008 R2 SP1, Windows 8.1 and Windows Server 2012 R2, and Windows 10 version 1709, with fixes for other affected platforms released during late-August.

Microsoft also announced at the time that it will disable VBScript by default in Internet Explorer for Windows 7, 8, and 8.1 on August 13, 2019.

The measure was part of a Microsoft initiative that started back in 2017 with the end goal of disabling VBScript in Internet Explorer for more secure user experience.

VBScript has been disabled by default in Internet Explorer 11 on Windows 10 for customers who installed the July Patch Tuesday cumulative updates.

Comments are closed.