2.3.27.9 Ensure 'Disable additional security checks on VBA library references that may refer to unsafe locations on the local machine' is set to 'Disabled'

Information

This policy setting restricts VBA to checking project library references only against the registry and trusted zones.

The recommended state for this setting is: Disabled

Rationale:

A remote code execution vulnerability exists when Microsoft Office improperly loads arbitrary type libraries. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

To exploit the vulnerability, an attacker must first convince a user to open a specially crafted Office document.

Impact:

None - this is the default behavior.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:

User Configuration\Administrative Templates\Microsoft Office 2016\Security Settings\Disable additional security checks on VBA library references that may refer to unsafe locations on the local machine

Default Value:

Disabled.

See Also

https://workbench.cisecurity.org/benchmarks/12129

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Windows

Control ID: 0a0b2d1104aa2cdbbf833f833d5fd944ccf6185a7f469655f50f938490286ebb