Tech Tip: Why Visual Basic for Applications is an unwise feature

By Jonathan Yarden

Once again, it's time to hunt down software updates and plug holes. Microsoft recently grabbed headlines with yet another multiple application and Windows version vulnerability. This time, the flaw affects a software feature that few people know about or even use: Visual Basic for Applications (VBA).

VBA is an embedded scripting language for applications, kind of like a macro language on steroids. I would estimate that at least 85 percent of the people using Microsoft Office and other VBA-enabled applications don't even use it.

VBScript, the twisted sister of VBA, is precisely how many of the nasty e-mail worms and viruses get into your system. I can't think of any legitimate reason to enable any type of scripting language in an application unless I've specifically said I want it active.

But for some reason, Microsoft has included VBA in many of its applications. That means that all of those applications are now vulnerable.

It seems like Microsoft is determined to stuff a BASIC interpreter into every piece of software it writes, even when it makes little sense to do so. No one in their right mind would want to allow people to run programs attached to e-mail messages, but VBScript does just that when you click an e-mail attachment in Outlook or Outlook Express.

It's possible that this idea made sense at one time—before the threat of viruses and worms became so high. But now VBA is simply an unwise feature to have, and using it isn't worth the risk. Average users don't benefit from VBA; it only exposes them to undesired threats.

Surely a company with Microsoft's resources could make it possible to "downgrade" applications that now support VBA. In my opinion, it's a fairly simple change: Just add a configuration setting that disables all VBA scripting across all applications. Or better still, allow users to remove the DLLs that enable VBA so the next clever 15-year-old kid doesn't trash the Internet by releasing a worm. Unfortunately, Internet security isn't always that simple.

Trying to make everything "simple" is exactly how we managed to get into this mess in the first place. As soon as the world became obsessed with the idea that writing software was simple, a lot of people who really had no business writing software suddenly became programmers.

Don't bet that the so-called professional programmers at Microsoft are going to make their software any better in the near future. The kids writing exploits are beating the pants off the pros daily, and they'll continue to frustrate Microsoft—and the rest of the world—until Microsoft changes its design philosophy.

Thanks to Microsoft's penchant for trying to be everything to everyone, we've got another "update or else" scenario occurring with Visual Basic for Applications. So once again, it's time for Microsoft to distribute patches to correct a software flaw for an unnecessary feature that it should never have included and allowed to operate by default in the first place.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.

Editor's Picks

Free Newsletters, In your Inbox