FAQ for VBA solutions affected by April 2020 Office security updates

Applies to: Office 365Office 2016Office 2013

Summary


When you install one of the Microsoft Office security updates that are listed in Microsoft Common Vulnerabilities and Exposures CVE-2020-0760, you might notice that some types of Visual Basic for Applications (VBA) references are blocked, and you receive an error message.

This article provides some frequently asked questions (FAQ) to tell users and IT admins what to do if their existing VBA solution breaks.

Note This change in behavior is caused by a design change in Office. The new behavior is by design. Therefore, a fix is not necessary and no mitigation will be provided.

Which types of VBA references are affected?


The following types of VBA references might be affected:

  • Typelibs (*.olb, *.tlb, *.dll)
  • Executable files (*.exe)
  • ActiveX controls(*.ocx)

These files might be blocked if they are located on the internet or intranet servers, or if they are downloaded from the internet.

For more information about the VBA object library reference, see Check or add an object library reference.

What error message is shown when the VBA object libraries are blocked?


If your existing VBA solutions have some VBA object libraries or references that are blocked, the following error message is displayed.

Error message when VBA libs are blocked

This is a standard message that indicates missing VBA object libraries. If you receive this error message, revisit your current VBA solution, and replace the blocked libraries with local ones.

What should I do to unblock VBA object libraries?


Internet VBA object libraries: We recommend that you block these because they are vulnerable.

Intranet VBA object libraries: You can enable these through a GPO setting, as shown in the following image. The setting is located under User Configuration > Administrative Templates > Microsoft Office 2016 > Security Settings.

GPO settings