The April 2020 security fixes for Microsoft Office come with a warning that some VBA code will stop working. There are workarounds to let some references through.
The KB4557055 security fix blocks VBA references that link to Internet or intranet sources or have been downloaded from the Internet. That will effect some Office/VBA code which will need updating.
That’s a good move and some might argue, a belated one. It stops hackers trying to infect a computer by hiding malicious code in an external library or taking over the references stored elsewhere.
What is blocked?
Three broad types of reference are now blocked when the link is from the Internet, intranet or downloaded from the Internet.
- Typelibs (*.olb, *.tlb, *.dll)
- Executable files (*.exe)
- ActiveX controls(*.ocx)
VBA won’t be able to ‘see’ the external library and shows a “ Can’t find project or library “ error.
Source: Microsoft
Workarounds
There are ways to unblock access to external references.
Intranet links can be enabled via a Group Policy – Administrative Templates | Microsoft Office 2016 | Security Settings
| All VBA to load typelib references by path from untrusted intranet locations.
Source: Microsoft
Object libraries (DLL) will load if registered using regsvr32 .
What about trusted locations?
Microsoft documentation implies that these changes apply to all external references but the GPO details (see above) suggest that links to trusted sites will still work.
Who gets it?
According to Microsoft, the change applies to; Office 365, Office 2016, Office 2013 and Office 2010.
We assume the omission of Office 2019 is a mistake. Just one of the problems with the documentation of this major change.
NSA discovered security bug that can affect Microsoft Office
Windows update causes Office VBA to fail