April 2020 updates for Office come with a warning

Office for Mere Mortals
Your beginners guide to the secrets of Microsoft Office
Invalid email address
Tips and help for Word, Excel, PowerPoint and Outlook from Microsoft Office experts.  Give it a try. You can unsubscribe at any time.  Office for Mere Mortals has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy

The April 2020 security fixes for Microsoft Office come with a warning that some VBA code will stop working. There are workarounds to let some references through.

The KB4557055 security fix blocks VBA references that link to Internet or intranet sources or have been downloaded from the Internet. That will effect some Office/VBA code which will need updating.

That’s a good move and some might argue, a belated one.  It stops hackers trying to infect a computer by hiding malicious code in an external library or taking over the references stored elsewhere.

What is blocked?

Three broad types of reference are now blocked when the link is from the Internet, intranet or downloaded from the Internet.

  • Typelibs (*.olb, *.tlb, *.dll)
  • Executable files (*.exe)
  • ActiveX controls(*.ocx)

VBA won’t be able to ‘see’ the external library and shows a “ Can’t find project or library “ error.

Source: Microsoft

Workarounds

There are ways to unblock access to external references.

Intranet links can be enabled via a Group Policy – Administrative TemplatesMicrosoft Office 2016 | Security Settings
| All VBA to load typelib references by path from untrusted intranet locations.

Source: Microsoft

Object libraries (DLL) will load if registered using regsvr32 .

What about trusted locations?

Microsoft documentation implies that these changes apply to all external references but the GPO details (see above) suggest that links to trusted sites will still work.

Who gets it?

According to Microsoft, the change applies to; Office 365, Office 2016, Office 2013 and Office 2010.

We assume the omission of Office 2019 is a mistake. Just one of the problems with the documentation of this major change.

NSA discovered security bug that can affect Microsoft Office

Windows update causes Office VBA to fail