Sign in with Microsoft
Sign in or create an account.
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Microsoft has discovered a vulnerability in Office Visual Basic for Applications (VBA) macro project signing. This vulnerability might enable a malicious user to tamper with a signed VBA project without invalidating its digital signature. Therefore, we recommend that users apply the security updates that are listed in Microsoft Common Vulnerabilities and Exposures CVE-2020-0760.

To enhance the security of the Office VBA macro project signing, Microsoft provides a more secure version of VBA project signature scheme: V3 signature. The V3 signature is available in the following products: 

We recommend that organizations apply the V3 signature to all macros to eliminate the risk of tampering. 

By default, to ensure backward compatibility, VBA files that have existing signatures will continue to work, and files that are signed by using the V3 signature can be opened and run in earlier versions of Office or in non-updated Office clients. However, we recommend that admins upgrade the existing VBA signatures to the V3 signature as soon as possible after they upgrade Office to the listed versions. After admins verify that there is no compatibility loss to the organization, they can disable the old VBA signatures by enabling the Only trust VBA macros that use V3 signatures policy setting. For more information about this policy setting, see the "Enable policy setting: Only trust VBA macros that use V3 signatures" section.

Upgrade signed VBA files to the V3 signature

Admins can use the following topics to upgrade existing VBA signatures files to the V3 signature.

Use VBA Editor to re-sign VBA files 

If you have private certificates, use the Visual Basic for Applications (VBA) Editor that's provided in an Office application to re-sign the VBA files.

  1. To re-sign a VBA file, press Alt+F11 from within the file to open the VBA Editor.

  2. To replace an existing signature with the V3 signature, select Tools Digital Signature. The Digital Signature dialog box opens.

    Note: To sign a VBA project, the private key must be correctly installed. For more information, see Digitally sign your macro project.

    Screenshot of selecting Digital Signature

  3. Select Choose to choose the certificate private key to use to sign the VBA project, and then select OK.

    Select a certificate

  4. To generate the new signatures, save the file again. The new digital signatures will replace the previous signatures.

Use SignTool to re-sign VBA files

SignTool in the Windows 10 SDK can help you re-sign the VBA files through a command line. To batch the re-signing work against the inventory list that's identified in the "Create an inventory of signed VBA files" section, you can integrate SignTool into your own admin tools.

Note: Currently, SignTool doesn't support Microsoft Access.

To re-sign VBA files by using SignTool, follow these steps:

  1. Download and install the Windows 10 SDK.

  2. Download Officesips.exe from Microsoft Office Subject Interface Packages for Digitally Signing VBA Projects.

  3. To sign files and verify the signatures in files, register Msosip.dll and Msosipx.dll, and then run Offsign.bat. The detailed steps are included in the Readme.txt file in the installation folder of Officesips.exe.

Note: Use the x86 version of SignTool in the "C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86" folder when you run Offsign.bat.

Enable policy setting: "Only trust VBA macros that use V3 signatures"

After you complete the upgrade to the V3 signatures, we recommend that you enable the Only trust VBA macros that use V3 signatures policy setting to make sure that only V3 signature-signed files are trusted.

This policy setting is available in Group Policy or the Office Cloud Policy Service. It is located in User Configuration\Policies\Administrative Templates\Microsoft Office 2016\Security Settings\Trust Center. If this setting is enabled, only the V3 signature will be considered as valid when Office validates the digital signature in files. Earlier-format signatures in VBA files will be ignored.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!