Thread: Is Customizing Word's Ribbon UI Safe?
View Single Post
 
Old 01-18-2025, 05:01 AM
syl3786 syl3786 is offline Windows 10 Office 2019
Advanced Beginner
  
Join Date: Jan 2023
Posts: 97
syl3786 is on a distinguished road
Default
Quote:
Originally Posted by Italophile View Post
The Microsoft Office applications were originally designed for end-user ribbon modifications.

As I originally stated, it is NOT modifying the ribbon that is the issue, it is the use of VBA that is the security issue. VBA is only a security issue because Office is used by lots of people who are routinely careless about security.

There are other methods of customizing Office:
  • VSTO - not cross-platform as it can only be used with Windows.
  • Office JS Apps - cross platform but the API doesn't have the depth that the COM object model does.

Microsoft has wanted to kill off VBA for a long time, but every time it tries to replace VBA with a modern technology it has only limited success. However, use of, and interest in, VBA has dwindled in recent years so perhaps they'll finally get their wish.

Customizing the Ribbon is only a security risk if it requires code to be executed, and it is the code that is executed that is the security risk not the Ribbon XML. I doubt that any bad actor would bother to modify the ribbon when code can be executed automatically simply by opening a document.
Thanks for the detailed explanation—I really appreciate it! You’ve brought up some great points, and it’s given me a lot to think about.

I didn’t realize that Microsoft Office was originally designed with end-user ribbon modifications in mind. If you happen to have any documentation or references about that, I’d love to check it out. It’s always interesting to learn more about the design decisions behind these tools.

I completely agree that VBA is the bigger security concern, especially given how widely Office is used and how easily users can overlook security risks. That said, I’ve also heard that XML-based customizations (like ribbon modifications) could potentially be exploited if not handled carefully. I’m not an expert on this, but it seems like both VBA and XML could have their own vulnerabilities depending on how they’re used.

It’s cool to hear about the alternatives like VSTO and Office JS Apps. Office JS Apps sound promising, especially since they’re cross-platform, but I can see how the lack of depth in the API compared to COM might be a drawback.

And yeah, it’s no surprise that Microsoft has been trying to move away from VBA for a while now. It’s interesting how it’s stuck around for so long, but it does seem like its usage is finally declining. Maybe this time they’ll succeed in phasing it out.

You’re absolutely right that the ribbon itself isn’t the security risk—it’s the code that gets executed. I doubt most bad actors would bother with ribbon modifications when they can just embed malicious code directly in a document. Still, I wonder if there’s any risk in how XML customizations are handled, especially if they’re not properly secured.

Anyway, thanks again for sharing your thoughts—this has been really helpful! If you have any more insights or resources, I’d love to hear them.
Reply With Quote