Word Macros: The Risk
Macros are supported in Word to let you automate tasks of various degrees of complexity. Macros can be powerful tools that can greatly reduce the time that you will need to finish your work. Even if you know nothing about writing macros, you can create macros by using the Macro Recorder, which records the steps that you perform and translates them into macro code. Macros can also be written directly in a programming language called Visual Basic for Applications (VBA). The macros that you record do not pose any security risk, and macros that are properly written by people with good intentions should be safe for you to use, but macros written by a malicious user may include code that can harm the data files and applications stored on your computer or can install viruses and other types of malware on your computer. Macros written in VBA by a person with good intentions may also contain coding errors that, for example, can cause Word to hang. As in the case of software in general, to protect yourself from malicious code and code that contains errors, you should use only macros that you receive from a source that you trust.
Macros that Run Automatically
Macros can be stored in ordinary Word documents, in Word templates, and in add-ins. In addition, there are special names that can be assigned to a macro to indicate to Word that the macro should be launched automatically under specific circumstances. Thus, macros may be running on your computer and performing tasks without your knowledge even if you do not intentionally run any macros yourself. For example, a template may contain a macro named AutoNew. A macro with this name will run automatically when a new document based on the template is created. Similarly, a macro that is named AutoOpen or a document event procedure that is named Document_Open will run automatically when the document containing it is opened in Word. Such a macro or event procedure may include malicious code that you would not want to run on your computer. The following table lists the special names that can be assigned to macros so that they will run automatically and the circumstances under which Word will launch them.
| Name | Description |
|---|---|
| AutoExec | Runs automatically when Word starts if the AutoExec macro is stored in the default template (Normal.dotm or Normal.dot), any template or add-in that resides in the Word Startup folder, or any template or add-in that is added to the list of global templates and add-ins in Word. For example, an AutoExec macro can be written to open a certain file whenever you start Word. AutoExec macros do not run when Word is started by typing winword /m in the Windows Run dialog box. |
| AutoNew | Runs after you create a new document based on a template in which the AutoNew macro is stored. An AutoNew macro is often used to open a dialog box, in which the user provides information that is used to insert text and other document elements into the new document. |
| AutoOpen | Runs after you open a document if the AutoOpen macro is stored in the template attached to the document, in the default template, or in a global template. The AutoOpen macro does not run when a document is opened programmatically. |
| AutoClose | Runs when you close a document if the AutoClose macro is stored in the template attached to the document, in the default template, or in a global template. |
| AutoExit | Runs when you quit Word if the AutoExit macro is stored in the default template or a global template. |
In addition to the specially named macros that run automatically, a document or template may also contain specific event procedures that will also run automatically when a specific document event occurs. These event procedures are very similar to macros, and the security settings that apply to macros also apply to them. The following table lists the document event procedures that are supported by Word.
| Name | Description |
|---|---|
| Document_New | Runs after you create a new document based on a template in which the Document_New event procedure is stored in the template's ThisDocument module. |
| Document_Open | Runs after you open a document in which the Document_Open event procedure is stored in the document's ThisDocument module or open a document based on a template in which the Document_Open event procedure is stored in the template's ThisDocument module. |
| Document_Close | Runs when you close a document in which the Document_Close event procedure is stored in the document's ThisDocument module or close a document based on a template in which the Document_Close event procedure is stored in the template's ThisDocument module. |
If automatically launched macros with the same name are stored in a document and the attached template, only the macro stored in the document will run. If event procedures for the same document event are stored in a document and its attached template, both event procedures will run.
This detailed information about macros that run automatically and event procedures for document events is presented here to show you that there are many ways in which malicious code can be embedded in documents and templates. For more information about how these macros and event procedures can be used for good intentions, see the technical article Take Control of Microsoft Word Through Events in MSDN.
In addition, malicious users can take advantage of the fact that a macro which is given a name identical to any Word command, such FileExit, FileSave, FileNew, or FileSaveAs, will run instead of the command when you invoke the command. For example, a macro named FileSave will run and perform whatever actions the code in it specifies whenever you try to save a document.
Macros that may contain malicious code should be disabled. On the other hand, you may have macros from sources that you trust, and you may want to enable those macros to run on your computer. Fortunately, Word provides security levels that you can select to control which macros will be allowed to run on your computer. With certain security levels, a warning will be displayed when you try to open a document that contains macros, which may include a macro that will run automatically when you open the document. After you know that the document contains macros, you can still open it safely by holding down the Shift key when you open it in Word. You can then delete the macros from the document or copy the content to a new document. With a properly selected security level, you can protect yourself from malicious macros and still use macros safely and benefit from them.
Security Levels in Word
The following security levels can be selected in the Trust Center dialog box to enable or disable macros in Word. By default, macros stored in templates that reside in the default trusted locations, which include the Word Startup folder, the Word Template folder, and the user Template folder, are allowed to run at all the security levels. For the Microsoft help topic about the security levels for Word 2010 and newer versions of Word, see Enable or Disable Macros in Office Files. For the Microsoft help topic about the security levels for Word 2007, see Enable or Disable Macros in Office Documents. For more detailed information about trusted locations and other security settings in all the Office 2010 products, see Security Policies and Settings in Office 2010.
- Disable all macros without notification. Only macros that are digitally signed with a valid trusted certificate or are stored in a document or template that resides in a trusted location are allowed to run. All other macros are disabled without displaying a notification.
- Disable all macros with notification. Macros that are digitally signed with a valid trusted certificate or are stored in a document or template that resides in a trusted location are allowed to run. All other macros are disabled, but a dialog box is displayed, in which the user can choose to enable the macros. This is the default setting.
- Disable all macros except digitally signed macros. Macros that are digitally signed with a valid trusted certificate or are stored in a document or template that resides in a trusted location are allowed to run. If the macros are digitally signed with a valid certificate that is not trusted and they are not stored in a document or template that resides in a trusted location, a dialog box is displayed, in which the user can choose to trust the certificate and enable the macros. All other macros are disabled without displaying a notification.
- Enable all macros (not recommended; potentially dangerous code can run). All macros are enabled. This setting is not recommended by Microsoft.
In addition, you can select the Trust access to the VBA project object model checkbox. This setting is intended for developers, and it allows programs, particularly automation clients, to access and manipulate the Visual Basic for Applications (VBA) object model.
You can use the following procedure to view or modify the security level for macros in Word.
To view or modify the security level for macros in Word
- Click the File tab (Word 2010 and newer versions of Word) or the Microsoft Office Button (Word 2007), and then click Options (Word 2010 and newer versions of Word) or Word Options (Word 2007).
- In the Word Options dialog box, click Trust Center.
- On the page that appears, click Trust Center Settings.
- In the Trust Center, click Macro Settings.
- If you want to change the security level, under Macro Settings, select the option that you want to apply.
- Click OK to apply the new settings or click Cancel to leave the settings unchanged.
Note that a system administrator can prevent users in an organization from changing the security level. When you change your macro settings in the Trust Center dialog box in Word, they are changed only for Word and are not changed for other Office programs.
If you change the security level, the new settings will be applied only to documents and templates that are opened after the change is made.