OFF97: Office 97 Macro Security Recommendations

Microsoft Office 97 does not have the underlying security architecture that is necessary to fully protect against macro viruses. The security included in Office 97 was state-of-the-art at the time that it was developed, but key improvements, such as digital signature technologies, did not exist at that time. Since then, virus writers have become far more sophisticated.

Based on these facts, Microsoft recommends that if you are concerned about security in Office programs, you should upgrade to either Microsoft Office 2000 or Microsoft Office XP. Both of these versions include security architecture that allows more thorough protection from macro viruses.

The "More Information" section of this articles describes safe computing practices and policies for customers who cannot upgrade to a later version of Office.

For customers who cannot upgrade to a more secure version of Office, Microsoft recommends that you use state-of-the-art antivirus software, along with safe computing practices and policies. These practices and policies include the following:

• Install the latest security update available. For additional information about the history of updates for Microsoft Office 97, click the following article number to view the article in the Microsoft Knowledge Base:
  248710  (http://support.microsoft.com/kb/248710/ ) OFF97: Overview and History of Office 97 Patches
• Turn on macro virus protection. To turn on macro virus protection, follow these steps:
  1. Start Microsoft Excel.
  2. On the Tools menu, click Options, and then click the General tab.
  3. Select the Macro virus protection check box.
  4. Repeat steps 1 through 3 for each Office 97 program.
  After you turn on macro virus protection, you are prompted to enable or disable macros whenever you open a file that contains a Microsoft Visual Basic for Applications (VBA) macro.
  
  Note Turning on macro virus protection does not protect your computer from macro viruses written in the Excel 4.0 macro language.
• Disable Microsoft Visual Basic for Applications on computers where it is not necessary. Disabling Visual Basic for Applications is the only way to make sure that no VBA macros can run in any Office program. To completely disable VBA macros, follow these steps:
  1. Locate the VBA332.dll file on the computer.
  2. Rename or delete the VBA332.dll file, so that Office programs cannot use it.
  Note Deleting this file completely disables Microsoft Access. It also disables built-in add-ins (such as the Analysis Toolpak) and user-defined functions in Excel. In addition, it causes several VBA-related errors to occur when you start Office programs. However, these errors do not affect general non-VBA usability of the programs.
• Block Office file types in e-mail attachments for computers where Office 97 is installed. If you are using a server that is running Microsoft Exchange, you can block Office file types in e-mail messages for computers running Office 97. This prevents users with unsecure programs from accidentally spreading viruses when they open attached files.