Title

Disable Trust access for VBA into Excel, Word, and PowerPoint. (Cat II impact)

Discussion

VSTO projects require access to the Visual Basic for Applications project system in Excel 2007, PowerPoint 2007, and Word 2007, even though the projects do not use Visual Basic for Applications. Design-time support of controls in both Visual Basic and C# projects depends on the Visual Basic for Applications project system in Word and Excel. By default, Excel, Word, and PowerPoint do not allow automation clients to have programmatic access to VBA projects. Users can enable this by selecting the Trust access to the VBA project object model in the Macro Settings section of the Trust Center. However, doing so allows macros in any documents the user opens to access the core Visual Basic objects, methods, and properties, which represents a potential security hazard.

Check Content

Validate the policy value for User Configuration >> Administrative Templates >> Microsoft Office PowerPoint 2007 >> PowerPoint Options >> Security >> Trust Center “Trust access to Visual Basic Project” is set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\ If the value for AccessVBOM is REG_DWORD=0, this is not a finding.

Fix Text

The policy value for User Configuration -> Administrative Templates -> Microsoft Office PowerPoint 2007 -> PowerPoint Options -> Security -> Trust Center “Trust access to Visual Basic Project” will be set to “Disabled”.

Additional Identifiers

Rule ID: SV-18611r4_rule

Vulnerability ID: V-17522

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.