General discussion

  • Creator
  • #2312920

    Why VBA is an unwise feature


    by discussion ·

    Do you agree with Jonathan Yarden that Visual Basic for Applications is an unnecessary addition to many Microsoft applications? How often do you use VBA in your day-to-day job? Share your comments about the value of VBA, as discussed in the Sept. 22 Internet Security Focus e-newsletter.

    If you haven’t subscribed to our free Internet Security Focus e-newsletter, sign up today!

All Comments

  • Author
    • #2742274

      Only Outlook

      by jackofalltech ·

      In reply to Why VBA is an unwise feature

      VBA is a great tool that should be available in many more apps EXCEPT for Outlook. I can’t think of a single valid use for it in Outlook.


    • #2743096

      Excel without VBA?

      by dave howe ·

      In reply to Why VBA is an unwise feature

      I think our company would dump MS Office en-masse if it had no macro support (I am not saying that is a bad thing :).
      Word doesn’t seem to need it; Outlook surprisingly does (we use a standard addin called Team Calendar that uses VBA) and Access is unusable without it.
      I haven’t used Star Office in a while, but I would be astonished if it doesn’t have its own scripting support

    • #2743094

      Outlook maybe, but the rest of Office ?

      by rodruss ·

      In reply to Why VBA is an unwise feature

      Jonathan talks from the point of view of UNIX, for which there is probably no equivalent tool available. I frequently use VBA in Excel and find it extremely useful. Perhaps it should be disabled during the installation.

      • #2743065


        by bunce ·

        In reply to Outlook maybe, but the rest of Office ?

        Show me an Access database with any functionality that doesn’t use VBA. How could designers distribute a database to users who don’t have VBA installed.. It would be a nightmare.

        Another simplistic view from a UNIX admin.

        • #2743063


          by bunce ·

          In reply to Ridiculous

          that was meant to be a reply to the article, not your post.


    • #2743092

      I do not agree

      by asworks ·

      In reply to Why VBA is an unwise feature

      if it is not vba it is something else.
      if you want to be secure you will have to take any progamming tool out of the hands of those kids
      but then who will be the programmers of tomorrow ?

      I use vba very often to write little tools for our company. It is not the average user who needs vba but the administrators or devellopers who use vba to fit tools like word or excel to there requirements.

      But as you said vba was designed in a pre internet time and maybe it needs a redesign but to ban it in general is the wrong way.

      • #2743015

        I second that opinion

        by blue36 ·

        In reply to I do not agree

        VBA is useful. If it was removed, you would see a lot more third-party applications showing up to fill the void. Think about the holes that would open.

        You need to be able to uninstall or completely deactivate its functionality if it is unneeded by the end-users. Didn’t Excel have a “Disable Macro” option under security?

    • #2743090

      I also do not agree

      by nitro2003 ·

      In reply to Why VBA is an unwise feature

      I don’t agree with Jonathan that VBA is an unnecessary addition, maybe only for Outlook.

      Personally my opinion for VBA is good. I do loot a work in Office applications and sometime it is easier for me to achieve results doing in VBA.

    • #2743085

      Totally Disagree

      by joseph.megkousoglou ·

      In reply to Why VBA is an unwise feature

      VBA has been the source of very powerful customisation applications that have enabled average users to have access to services via Microsoft applications that otherwise would have been impossible. If I had to choose between the risk of VBA and 300 lawyers trying to save their documents directly on a network drive (because without VBA can’t integrate Word with document management systems) I know which one I would choose. When was the last time Jonathan worked on a helpdesk environment with average users?



    • #2743053

      Keep VBA / Default to disable though

      by jim lit ·

      In reply to Why VBA is an unwise feature

      I agree with a great amount of what Mr. Yarden has to say about the danger of VBA. It has become a bridge however for a great amount of people who want to get something done quickly without having to write a “real” program to do it.

      Perhaps on install VBA should be flagged as “Install on Demand” instead of installing on the first run. VBA should also be disabled until it is enabled by the user.

      Look at it this way you can do a lot of good things with a knife. You can cut steak with it. You can carve little soap animals. In the hands of a novice however the knife can be dangerous. The same is true of VBA, if it is not understood, then it shouldn’t be enabled.

    • #2743042

      VBA is an absolute necessity

      by richard.binning ·

      In reply to Why VBA is an unwise feature

      Limiting or crippling the VBA environment in office applications, or other business critical applications is a rather knee jerk reaction to this type of threat.

      This form of attack is still a socially engineered vector. If the user doesn’t click on an infected word document or email, then there is absolutely no chance of infection.

      VBA is an absolute necessity for true integration and maximum productivity with mainstream business applications.

      A better argument could be made for security at the VBA level which would consist of encrypted messages and authentication. If the code didn’t originate on the current machine and lacked a secure identity of some sort (verisign, local registration, etc.) then simply pop up a dialog box for futher verification.

      Or follow Autodesk’s lead (another VBA enabled application), and provide a viewer plugin for IE that isn’t VBA enabled. Chances are that the user who clicks on such a document isn’t interested in modifying it anyway. Make the default behavior of the viewer “view only” and eliminate these intrusion points all together.

      My .02

    • #2743039

      VBA, no: Java, yes

      by bblackmoor ·

      In reply to Why VBA is an unwise feature

      VBA was fine for the 1980’s and early 1990’s, but today’s applications need a more stable, secure scripting engine. Fortunately, we have one — Java.

      • #2743032

        Java is wonderful, but . . .

        by nlogan ·

        In reply to VBA, no: Java, yes

        Java is a wonderful programming platform. But, it’s not as simple as VBA. I love my Linux, but my users love Windows. And my users need to be able to do quick and dirty VBA code in Excel and Access. Plus, Excel has this nice little feature that allows a person to “record” a macro. That keeps them from running to me every time they want a little code created.

        Thank you very much, but as much as I dislike the Windows platform, it has made my life easier. That is until one of my users gets a virus! But, even then, it’s usually easier to clean up the virus than develop all the code that makes the users more efficient.

        • #2743018

          the root of the problem is human stupidity

          by bblackmoor ·

          In reply to Java is wonderful, but . . .

          “my users need to be able to do quick and dirty VBA code in Excel”

          Your users need to be able to do their jobs. They can’t do that if they spend a quarter of their time cleaning up after predictable, preventable infections from viruses and virus-like attacks. The root of the problem isn’t VBA’s huge security holes, or IIS’s huge security holes, or Outlook’s huge security holes, or the sheer evil of HTML-mail.

          The root of the problem is that some people are just too damnably stupid to use a computer. They keep using using these notoriously buggy, virus-prone programs, and then they act surprised every time a new worm makes the rounds. Millions of dollars of man-hours are thrown away, over and over, because people are morons.

        • #2742942

          I’m not so sure about that….

          by bryans ·

          In reply to the root of the problem is human stupidity

          I would be the first to agree that some people are “morons”. Believe me, I run into my share every day. However, I don’t agree with the above statement that most people are “morons” or “stupid”. Most are either ignorant of the problem or just don’t care.

          Users have their jobs to do. They often don’t have time or don’t have interest in using their computers properly. Many of them don’t even like computers. It’s just a necessary part of their job. They, therefore, do not practice using proper computing common sense. And, of course, there are also some that simply won’t listen to anything you say about proper usage. They figure it’s your job to fix it, not theirs to help prevent it.

          I’m not saying that all of these people are right. Far from it. But you need to stop and think. If you didn’t have all of these people using computers (wisely or not), you probably wouldn’t have a job. It doesn’t matter how good you are, if companies don’t need you, you won’t be there. Just ask any laid-off IT Pro.

          ….Well almost any IT Pro. We have our share of “morons” too.


        • #2742036

          Do you work in the real world?

          by nlogan ·

          In reply to the root of the problem is human stupidity

          May I suggest a strong firewall, good antivirus software, etc?

          As an IT professional it is my responsibility to provide the users with easy-to-use tools, teach them to use them correctly and try to protect them from themselves. And if I fail in the latter 2, then it is my responsibility to clean up after them.

          And I sure hope that you don’t interact with users, because a demeaning attitude like yours is why there are so many people still afraid of the technology.

    • #2743037

      Gee, why not remove the whole OS

      by cliff ts ·

      In reply to Why VBA is an unwise feature

      Remove the whole OS then you would be secure, of course you won’t get much work done. No, VBS must stay and be active, it is one of the best feature of the MS products.

      • #2743031

        Not the only game in town anymore

        by john ·

        In reply to Gee, why not remove the whole OS

        There are now so many excellent products out there the fill the Office productivity and database space at least equally well and in some cases better that you may find more work would get done as not so much time need be spent on patching systems.

    • #2743000

      Yet another rant

      by adelpreore ·

      In reply to Why VBA is an unwise feature

      Just throw the baby out with the bathwater why don’t you. The vast majority of our applications support VBA scripting. Which means that an administrator may tweak/customize the application to suit their needs. This alone has saved man-years of writing otherwise highly customized code! Just disabling VBA scripting is an overtly simplistic solution. I agree that a Word document has no business being able to format your hard-drive, neither does an e-mail message. The fact that these things still crop up isn’t because of the sass of the script writers but the ignorance of slobs that continue to allow these types of exploits to make the news. If you are upset with Outlook read all e-mail as text, or switch to another e-mail client.
      That’s the world we live in. Like it or not, VBA is an integral cog in the Windows world – by making programming script available to the masses you also open yourself up to the script ‘kiddies’. Wise-up its a dangerous world we live in!

    • #2742988

      How could Mr. Yarden be allowd to write this?

      by azdesertdude2000 ·

      In reply to Why VBA is an unwise feature

      How did the TechRepublic editors allow this article to get posted? First and foremost, the author is obviously NOT familiar with MS Office products. He’s a UNIX Admin!

      I’ll bet the very editors that approved his writing use macros every day.

      I read these discussions occasonally for INFORMED opinion. Not diatribe from a novice.

    • #2742971

      VBA as an Add On?

      by guruofdos ·

      In reply to Why VBA is an unwise feature

      Most of our Office users aren’t even aware of VBA. As a ‘Power User’, I have perhaps used it once or twice…no more.

      It seems to be bundled with Office and yet it is a little used feature in many instances…especially by home users who simply use Word to type the occasional letter.

      Personally, I think that Office should be sold as ‘Componentware’. Go to an M$ dealer and buy a copy of Office….and when you install it, all the options are there, whether you choose to install them or not. Personally, I would like to see a ‘Minimal’ distribution of Office, with just the basic features, at a vastly reduced price. Users who then need VBA, scripting, macros or whatever should then be able to purchase (via a store, on-line or whatever) an ‘add-on’ pack for additional features.

      If you only use 10% of a product, why should you have to pay 100% of the price and then ignore 90% of the features? You wouldn’t go into a restaurant and order steak and chips with a salad garnish if all you want is the lettuce and tomato out of the garnish…you’d order a small side salad at a fraction of the cost. Of course, if you WANTED a full-blown dinner….you COULD order it and pay the full-blown price.

      I’d love to see a pick’n’mix Office, where you go to Microsoft and fill in a ‘menu’ for Office Apps…then just pay for the parts you order.

      Many people DON’T want that damn paperclip! People who only ever use a laser printer to bang out standard letters DON’T need coloured fonts or WordArt. People who only ever produce their own documents and never need to ‘translate’ a Lotus or Wordstar doc SHOULDN’T have to pay for converters that they don’t use.

      Could we maybe in the future see a ‘basic letter writing’ version of ‘Word 2004 Component Edition’, that only costs $10 but can have components ‘added’ as necessary for a few $$$ a time. If you then downloaded an entire range of plug-ins or add-ons you would perhaps pay 5 or 10% more than buying a full version in the first place? The incentive is automatically there to buy a full version from the get go, saving 5 or 10% if necessary.

      The user who just wants to type the odd letter is more likely to make do with WordPad than spend $200+ on a full copy of a program. However, ‘real’ Word, in a cut down form for a few tens of dollars that can subsequently be added to if required surely has to make sense?

    • #2742967

      VBA is moving on

      by jackp ·

      In reply to Why VBA is an unwise feature

      With Microsoft’s new ability to use C# (a Java-like language) VBA is already going by the wayside, but I emphatically agree with the other comments that VBA is necessary glue for MS applications and that any middleware language of this type is going to have problems.
      BTW for our corporate approact to VB see – we make a translator:)

    • #2742966

      Two Cents from one of those “who have no business programming”

      by chuckr314159 ·

      In reply to Why VBA is an unwise feature

      I’m just as ticked as the next guy, having to keep up with virus updates, patches, firewalls, etc, instead of doing my job. As I’m writing this I must break every few minutes to quarantine the dozens of swen emails.

      I’ve got no problem with disabling VBA for those who aren’t going to use it, but the author is barking up the wrong tree as to the source of the problem. I’m an independent consulting professional in another discipline who does lots of programming and am probably one of those who the author thinks “has no business programming”. I am self-taught at programming in Windows and started learning by recording VBA macros, reviewing the code, and extrapolating from there.

      The author makes no sense. Its not me and VBA that’s the problem. If those so-called professional programmers/analysts could communicate clearly with users, deliver what they needed in a timely fashion and at a reasonable cost, then perhaps we wouldn’t need tools like VBA. There’s a reason US programming jobs are being replaced by do-it-yourselfers or are being shipped out to India!

      Maybe those professionals could spend there time figuring out how to write useful development software and operating systems that those 15 year old amateur hackers can’t abuse, instead of just deciding that everybody else needs to stop programming and instead just sit tight, wait, and pay them to do it (which by the way is the classic IT Ivory tower response to a problem that got them into this mess in the first place!)

    • #2742960

      Speaking figuritively on VBA

      by algonquian_cougar ·

      In reply to Why VBA is an unwise feature

      It is very simple for some to get lost in the point of not being able to see the forest through the tree. To get a keen sense of Jonathan Yarden’s insight, into our continuing security problems. From a Pro Gun Advocate. I saw that officer’s gun jump clean out of his holster and run away from him. Then it shot two innocent bystanders before the officer could retreve it. Jonathan, we have criminals in our society. It is a point where we are just now massing to move against criminals that use malicious code. This being in the point of “Man’s Inhumanity To Man”. Look in the point of Domestic Violence. It was 1904 that the 1st law was drafted that made it illegal for a man to shoot his wife or kids. But it wasn’t till the 1970’s that any of these Domestic Violence laws were actually used. Sorry Jonathan, I will not throw the baby out with the diaper. We can not burry our future in the closet for every thug that that wishes to be the devil’s advocate.

    • #2742959

      Strike 2

      by goboslayer ·

      In reply to Why VBA is an unwise feature

      This is the second article by Yarden in as many weeks that has little to nothing to do with Internet Security and is nothing more than his opinion of Microsoft. The article content has a place, but not in the Internet Security Focus newsletter. This was Tech LockSmith subject material.

      I realize that a hacker could use the Internet as a means to attack a system with this vulnerability, but that is not really covered in this article, apart from a simple mentioning of it.

      Spreading your opinion of Microsoft’s problems and how you’d fix them serves of little technical value to anyone.

      And for my 2 cents, just because VBA has a flaw does not mean that you scrap the whole technology. Some programs need it, and some don’t, but VBA has become a very valuable tool for software interoberability, integration, and interfacing for software other than the Microsoft Office suite.

    • #2742946

      VBA Is Just Like Everything Else.

      by quadrance ·

      In reply to Why VBA is an unwise feature

      Why does some of use act like hacking never occurred before windows? VBA is just like any other scripting language. It will run in the context of the user who initiates it’s execution. Even if you signed the code, it will still run in the context of the Joe Schmoe user who double clicked on the icon. Another thing to consider is that I get the sense the author has never setup office himself. I say this because if you do a custom set up of office, you have the option of excluding VBA for applications. You could do that even after an install? And for all you Java Beans out there, are you going to act like java isn’t any different. It’s a scripting language that executes in the context of the user that initiated it’s execution.

    • #2742941

      Jonathan is right on target

      by jamesjmots ·

      In reply to Why VBA is an unwise feature

      I’ve been writing BASIC code since today’s “pro’s” were in diapers. MS is insane putting VB stuff in EVERYTHING. I agree – disable it.

    • #2742186

      Get a real job Yarden

      by thephoton ·

      In reply to Why VBA is an unwise feature

      You must not use Microsoft products very often to come up with the bone headed idea that there is no need for VBA or VBScript to be included with these products. For that matter you would probably stop all software and application development because compilers mean people will write software that could lead to viruses.

      If you are that afraid, then maybe you should just turn off your computer and leave the rest of us alone.

      ?Stupid Is, As Stupid Does.? Forest Gump

    • #2742179

      Re: Why VBA ia an unwise feature

      by jbond ·

      In reply to Why VBA is an unwise feature

      Mr. Yarden’s analysis of VBA’s utility (“an unwise feature to have”,”Average users don’t benefit from VBA: it only exposes them to undesired threats” etc.) betrays an arrogant contempt for us ‘non-programmers’ which I found quite offensive. I am an accountant in the financial services industry who over the last 8 years has taught himself to programme in VBA (although I’m sure my feeble efforts whould be derided by Mr. Yarden for their amateurism) enabling me to develop applications which automate many of the repetitive functions carried out in my company. Before taking my first tentative steps with VBA macros, the world of programming was a mystery to me. I had previously worked in quite large organisations, where an endemic inefficiency is created by the segregation of IT and programming from the rest of the great unwashed: users humbly bend the knee in front of the programmer “elite” grovelling for modest improvements in the functionality of the applications built by member of the IT departments who have no real idea of the business or user requirements. After numerous failed iterations, the poor user either gives up in frustration or resorts to an Excel spreadsheet. Over time, spreadsheets proliferate, making effective management implementation of an IT strategy almost impossible, while increasing errors and making delegation of tasks inefficient, but ensuring our friends in the IT ivory tower enjoyed a nice fat budget and a steady stream of development projects.
      I started my company vowing not to fall into the spreadsheet trap: there would be no segregation between the IT resource and the user, indeed they became one and the same. How? Thanks to VBA: a language a non-programmer can use to build robust, database applications (with Access). My company has become at least twice as efficient as my competitors (based on the number of people we employ relative to the assets we manage) by training our people to use Access and VBA and
      insisting they use it. No, VBA is not a panacea nor is it infinitely scaleable, but it is a vital link between enterprise-level applications and the desk top, allowing the user to develop applications scaled and customised to his requirements, not Mr. Unix’s or whoever.
      So what is your beef, really, Mr Yarden? You think the whole of VBA should be junked because there are some security holes? Talk about throwing the baby out with the bathwater! Or could it be that you’re concerned the 15% of people using VBA with Office just might be demistifying the whole programming process and threatening your job security?
      But why listen to me? I’m not a programmer. I just run a business. What the hell do I know?

    • #2742087

      FIX the FIXES

      by rbwjr ·

      In reply to Why VBA is an unwise feature

      Hey y’all, just a note from a “regular” Joe, how about they correct the mistakes in the so-called fixes. After getting the latest, I found it messes with my settings for the screen as well as my scanner. It’s bad enough that I had to go through all the rigamarole to make it compatible with the XP system, then the “fixes” messed it up some more. Now everytime I boot-up, I have to reconfigure my screen settings since it doesn’t WANT to keep them at what I set. NICE…and this is SUPPOSED to be from the so-called leaders in this technology?…right!

      • #2742086


        by rbwjr ·

        In reply to FIX the FIXES

        Oh, I will also mention that I HAVE gone in to reset the screen parameters and to NO avail. When my initial screen shows up, it’s at what I had it set…for a second, BUT then it blanks out and RESETs itself to 600×480 so I have go in and place it at what I WANT it to be at. Go figure…

        • #2741996

          XP woes may be rooted in your hardware

          by goboslayer ·

          In reply to P.S.

          I’m not sure what relevance broken software due to patches has in a discussion of a VBA vulnerability, but give it a shot:

          It’s well known that XP’s Hardware Compatability List (HCL) should be consulted for hardware incompatabilities before loading the OS. Sounds to me like you have a driver issue with a Video card that may or may not be supported by XP. This is something you should have investigated prior to loading XP.

          A text or searchable version of the HCL can be found here:

          If your computer is an older model, the incompatabilities are very possible. It’s like purchasing the most state of the art 6.1 surround sound home theatre system and becoming upset with the manufacturer when it doesn’t work with a television you bought in 1978.

    • #2742038

      To sum it up…

      by evilspamman ·

      In reply to Why VBA is an unwise feature

      Ok – I think it’s almost universally agreed that VBA is very crucial to office applications… at least it is for Access and Excel, without a doubt. But I have one question for Maxwell Edison: Did you major in medicine?

    • #2741938

      What the end users want?

      by onbliss ·

      In reply to Why VBA is an unwise feature

      As an application developer I have seen numerous scenarios where the reports that we provide are not ‘useful straightway’ to the end user.

      Many business users / end users copy and paste the data from several applications onto Excel spreadsheets and run their macros to get their desired data-format.

      I have been pained to see them do these additional steps. They collage from several reports in the application and also from several different application. It is not always possible to deliver the report they want because of:
      2)Time constraint
      3)Budget constraint
      4)Lack of interest from everybody (except them)
      5)Bad Requirements gathering

      It is nice to talk about seamless integration between applications. It is simply not possible to integrate all the applications in myraid ways to address myraid user requirements. If this happens, I will retire from this IT industry 🙂

      To the end users Excel is ‘the thing’. You might take anything from them but Excel. I have seen some Marketing and Finanical analysts so proficient in Excel and macros that I have been ashamed to call myselves a programmer.

      Remove VBA from MS products only after we as IT people have provided solutions to the business users the way they want it. Until then we have to be happy that there is a way for them to get to the data the way they want it.

    • #2741936

      I disagree

      by jim ·

      In reply to Why VBA is an unwise feature

      The addition of VBA as a standard to all of the Office products is one of the first really good moves on the part of Microsoft. Previously, we had to learn something different for each version of each application. I use VBA extensively in Access and a fair amount of the time in the rest of the Office applications. The programs would be largely useless if left in their vanilla state without an underlying standard language. The problem is not VBA. Any standardized language could be used the same way. The problem is educating users to not open attachments from unknown sources. What we need is a virus scanner that can read the VBA and give a warning about possible consequences. If this is made available, then the standardization on VBA is actually useful, since there is a single language to be checked.

    • #2743725

      Decent Access development relies on it

      by darendjunker ·

      In reply to Why VBA is an unwise feature

      It’s bad enough that I have to work with Access as the front end for several clients, but many projects can’t be done without VBA in Access. Writing a custom front end application or a web front end is ideal, but not every project can spare the time commitment for that.

    • #2718424

      VBA Perfect for Access

      by mike ·

      In reply to Why VBA is an unwise feature

      I am an Access programmer and although you can do data analysis with it without VBA. With VBA you can create very complex applications that are useful to most people. We have an accounting program written in Access/VBA. I have never heard of any company purchasing an accounting program without wanting to modify it to do things to suit the way they operate. Many accounting programs are written with a propriety programming language. Every single modification that means anything then becomes exceedingly expensive because there are few folks who know the programming language. Even so it is necessary to purchase the code in addition and that is even more expensive to start with. We tell ours to do what ever we need it to do, simply by using VBA. VBA multiplies the value of Access ten-fold.

Viewing 26 reply threads