Thanks for the detailed explanation—I really appreciate it! You’ve brought up some great points, and it’s given me a lot to think about.

I didn’t realize that Microsoft Office was originally designed with end-user ribbon modifications in mind. If you happen to have any documentation or references about that, I’d love to check it out. It’s always interesting to learn more about the design decisions behind these tools.

I completely agree that VBA is the bigger security concern, especially given how widely Office is used and how easily users can overlook security risks. That said, I’ve also heard that XML-based customizations (like ribbon modifications) could potentially be exploited if not handled carefully. I’m not an expert on this, but it seems like both VBA and XML could have their own vulnerabilities depending on how they’re used.

It’s cool to hear about the alternatives like VSTO and Office JS Apps. Office JS Apps sound promising, especially since they’re cross-platform, but I can see how the lack of depth in the API compared to COM might be a drawback.

And yeah, it’s no surprise that Microsoft has been trying to move away from VBA for a while now. It’s interesting how it’s stuck around for so long, but it does seem like its usage is finally declining. Maybe this time they’ll succeed in phasing it out.

You’re absolutely right that the ribbon itself isn’t the security risk—it’s the code that gets executed. I doubt most bad actors would bother with ribbon modifications when they can just embed malicious code directly in a document. Still, I wonder if there’s any risk in how XML customizations are handled, especially if they’re not properly secured.

Anyway, thanks again for sharing your thoughts—this has been really helpful! If you have any more insights or resources, I’d love to hear them.