Check: DTOO146 - Excel
Microsoft Excel 2007:
DTOO146 - Excel
(in versions v4 r13 through v4 r12)
Title
Disable Trust access for VBA into Excel, Word, and PowerPoint. (Cat II impact)
Discussion
VSTO projects require access to the Visual Basic for Applications project system in Excel 2007, PowerPoint 2007, and Word 2007, even though the projects do not use Visual Basic for Applications. Design-time support of controls in both Visual Basic and C# projects depends on the Visual Basic for Applications project system in Word and Excel. By default, Excel, Word, and PowerPoint do not allow automation clients to have programmatic access to VBA projects. Users can enable this by selecting the Trust access to the VBA project object model in the Macro Settings section of the Trust Center. However, doing so allows macros in any documents the user opens to access the core Visual Basic objects, methods, and properties, which represents a potential security hazard.
Check Content
The policy value for User Configuration -> Administrative Templates -> Microsoft Office Excel 2007 -> Excel Options -> Security -> Trust Center “Trust access to Visual Basic Project” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Excel\Security Criteria: If the value AccessVBOM is REG_DWORD = 0, this is not a finding.
Fix Text
The policy value for User Configuration -> Administrative Templates -> Microsoft Office Excel 2007 -> Excel Options -> Security -> Trust Center “Trust access to Visual Basic Project” will be set to “Disabled”.
Additional Identifiers
Rule ID: SV-18610r1_rule
Vulnerability ID: V-17522
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |