Content deleted Content added
m Updated website link |
No edit summary |
||
| (6 intermediate revisions by 5 users not shown) | |||
Line 2:
{{Infobox programming language
| logo = Microsoft Visual Basic for Applications logo.svg
| logo_size = 200px
| paradigm = [[Multi-paradigm programming language|Multi-paradigm]]
| year = {{Start date and age|1993}}
| designer =
| developer = [[Microsoft]]
| latest_release_version =
712([[Microsoft Office 2021|Office 2021]]) | latest_release_date =
| latest_test_version =
Line 34 ⟶ 37:
When Visual Basic was released in 1991, it seemed logical to use Visual Basic as the universal programming language for Windows applications. Until that time, each Microsoft application had its own macro language or automation technique, and the tools were largely incompatible. The first Microsoft application to debut VBA was Microsoft Excel 5.0 in 1993, based on Microsoft Visual Basic 3.0. This spurred the development of numerous custom business applications, and the decision was made to release VBA in a range of products.
Windows users learned about the changes through user groups, books, and magazines. Early computer books that introduced VBA programming skills include Reed Jacobsen's ''Microsoft Excel Visual Basic for Windows 95 Step by Step'' (Microsoft Press, 1995) and [[Michael Halvorson]] and Chris Kinata's ''Microsoft Word 97 Visual Basic Step by Step'' (Microsoft Press, 1997).
==Design==
Line 54 ⟶ 59:
As with any common programming language, VBA macros can be created with malicious intent. Using VBA, most of the [[computer security|security]] features lie in the hands of the user, not the author. The VBA host application options are accessible to the user. The user who runs any document containing VBA macros can preset the software with user preferences. [[End-user (computer science)|End-user]]s can protect themselves from attack by disabling macros from running in an application or by granting permission for a document to run VBA code only if they are sure that the source of the document can be trusted.
In February 2022, Microsoft announced its plan to block VBA macros in files downloaded from the Internet by default in a variety of Office apps due to their widespread use to spread malware.<ref>{{Cite web |title=Microsoft to Block Office VBA Macros by Default |url=https://www.theverge.com/2022/2/7/22922032/microsoft-block-office-vba-macros-default-change |access-date=2022-09-26 |website=The Verge |date=7 February 2022 |language=en-US}}</ref>
=== Macro risks ===
A risk with using VBA macros, such as in [[Microsoft Office]] applications, is exposure to viruses.<ref>{{cite web
|author = Vesselin Bontchev
|title = Macro Virus Identification Problems
|url = http://www.people.frisk-software.com/~bontchev/papers/macidpro.html#Richard%E2%80%99s%20Problem
|work = macros viruses
|url-status = dead
|archive-url = https://archive.today/20120805095925/http://www.people.frisk-software.com/~bontchev/papers/macidpro.html#Richard%E2%80%99s%20Problem
|archive-date = 2012-08-05
}}</ref><ref name="Attack prevent">
{{cite journal
| author = Vesselin Bontchev
| year = 1996
| title = Possible macro virus attacks and how to prevent them
| page = 595
| journal = Virus, Macros, Safety of Macros
| volume = 15
| issue = 7
| doi=10.1016/S0167-4048(97)88131-X}}</ref> Risks stem from factors including ease of writing macros which decreases the skill required the write a malicious macro and that typical document sharing practices allow for a virus to spread quickly.<ref name="Melissa">{{cite journal
|author1=Paul Docherty |author2=Peter Simpson |year = 1999
|title = Macro attacks: What next after Melissa?
|journal = Viruses, Safety of Macros
|volume=18 |issue=5 |pages=391–395 |doi=10.1016/S0167-4048(99)80084-4
}}</ref>
;System macro virus
A system macro {{endash}} one that provides a core operation {{endash}} can be redefined. This allows for significant flexibility, but also is a risk that hackers can exploit to access the document and its host computer without the user's knowledge or consent. For example, a hacker could replace the built-in core functionality macros such as AutoExec, AutoNew, AutoClose, AutoOpen, AutoExit with malicious versions.<ref name="Melissa" /> A malicious macro could be configured to run when the user presses a common keyboard shortcut such as {{keypress|Ctrl+B}} which is normally for bold font.<ref name="Melissa" />
;Document-to-macro conversion
A type of macro virus that cuts and pastes the text of a document in the macro. The macro could be invoked with the Auto-open macro so that the text would be re-created when the document (empty) is opened. The user will not notice that the document is empty. The macro could also convert only some parts of the text in order to be less noticeable. Removing macros from the document manually or by using an anti-virus program could lead to a loss of content in the document.
<ref name="Attack prevent"/>{{rp|609–610}}
;Polymorphic macros
''[[Polymorphic code|Polymorphic]] viruses change their code in fundamental ways with each replication in order to avoid detection by anti-virus scanners.''<ref>[https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ef83e4e-3622-4ae3-a395-a0dd9107eb77&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments Polymorphics macros]</ref>
In [[Microsoft Word|WordBasic]] (first name of the language [[Visual Basic]]), [[Polymorphic code|polymorphic]] viruses are difficult to do.<br />
Indeed, the macro's [[Polymorphic code|polymorphism]] relies of the [[encryption]] of the document. However, the hackers have no control of the [[encryption key]].<br />
Furthermore, the encryption is inefficient: the encrypted macros are just in the document, so the encryption key is too and when a [[Polymorphic code|polymorphic]] macro replicates itself, the key does not change (the replication affects only the macro not the encryption).<br />
In addition to these difficulties, a macro can not modify itself, but another macro can. WordBasic is a powerful language, it allows some operations to the macros:
* Rename the variables used in the macro(s).
* Insert random comments between the operators of its macro(s)
* Insert between the operators of its macros other, ‘do-nothing’ WordBasic operators which do not affect the execution of the virus.
* Replace some of its operators with others, equivalent ones, which perform the same function.
* Swap around any operators the order of which does not impact the result of the macro’s execution.
* Rename the macro(s) themselves to new, randomly selected names each time the virus replicates itself to a new document, with the appropriate changes in these parts of the virus body which refer to these macros.
So, in order to implement macros viruses which can change its contents, hackers have to create another macro which fulfills the task to modify the content of the virus. However, this type of macro viruses is not widespread. Indeed, hackers frequently choose to do macro viruses because they are easy and quick to implement. Making a [[Polymorphic code|polymorphic]] macro requires a lot of knowledge of the WordBasic language (it needs the advanced functionalities) and more time than a "classic" macro virus. Even if a hacker were to make a polymorphic macro, the [[Polymorphic code|polymorphism]] needs to be done, so, the document needs to update and the update can be visible to a user.<ref name="Attack prevent"/>{{rp|610–612}}
;Chained macros
During replication, a macro can create do-nothing macros. But this idea can be combined with polymorphic macros, so macros are not necessarily do-nothing; each macro invokes the next one, so they can be arranged in a chain. In such a case, if they are not all removed during a disinfection, some destructive payload is activated. Such an attack can crash the winword processor with an internal error. Since [[Microsoft Word|Winword 6.0]], the number of macros per template is limited to 150, so the attack is limited, too, but can still be very annoying.
<ref name="Attack prevent"/>{{rp|623}}
;"Mating" macro viruses
Macro viruses can, in some cases, interact between themselves. If two viruses are executed at the same time, both of them can modify the source code of each other.<br />
So, it results a new virus which can not be recognize by the anti-viruses software. But the result is totally random: the macro virus can be more infectious or less infectious, depending upon which part of the virus has been changed.<br />
However, when the 'mating' is unintentional, the resulting macro virus has more chances to be less infectious.<br />
Indeed, in order to replicate itself, it has to know the commands in the source code, but, if it is changed with a random scheme, the macro can not replicate itself.<br />
Nevertheless, it is possible to do such macros intentionally (it is different from polymorphic macros viruses which must use another macro to change their contents) in order to increase the infectivity of the two viruses.<br />
In the example of the article,<ref name="Attack prevent"/>{{rp|612–613}} the macro virus ''Colors<ref name="Colors">{{Cite web |url=http://www.probertencyclopaedia.com/cgi-bin/res.pl?keyword=Word+Color+Macro+Virus&offset=0 |title=Macro Virus Colors |access-date=2012-12-15 |archive-url=https://web.archive.org/web/20121122142747/http://www.probertencyclopaedia.com/cgi-bin/res.pl?keyword=Word+Color+Macro+Virus&offset=0 |archive-date=2012-11-22 |url-status=dead }}</ref>'' infected a document, but another infected the user's system before : the macro virus ''Concept''.<br />
Both of these viruses use the command ''AutoOpen'', so, at first, the macro virus ''Colors'' was detected but the command ''AutoOpen'' in it was the command of the macro virus ''Concept''.<br />
Moreover, when ''Concept'' duplicates itself, it is unencrypted, but the command in the virus ''Colors'' was encrypted (Colors encrypt its commands).<br />
So, replication of the macro virus ''Concept'' results in the hybridation of this macro virus (which had infected the user's system first) and ''Colors''.<br />
The "hybrid" could replicate itself only if ''AutoOpen'' were not executed; indeed this command comes from ''Concept'', but the body of the hybrid is ''Colors'', so that create some conflicts.<br />
This example shows the potential of mating macro viruses: if a couple of mating macro viruses is created, it will make it more difficult to detect both macro viruses (in this hypothesis, there are only two viruses which mate) by the [[Signature based detection|virus-specific]] scanners and may reinforce the virility of the viruses.<br />
Fortunately, this type of macro virus is rare (more than the polymorphic macro viruses, one may not even exist), indeed, creating two (or more) which can interact with each other and not reduce the virility (rather reinforce it) is complicated.
;Macro virus mutators
Among the worst scenarios in the world of viruses would be a tool allowing one to create a new virus by modifying an existing one.
For executable files, it is hard to create this kind of tool. But it is very simple for macro viruses since sources of macros are always available. Based on the same idea of polymorphic macros, a macro can perform modifications to all macros present in the document. Considering this, there are just a few modifications to make to the macro in order to convert it in a macro virus mutator.
So it is easy to create macro virus generators, and thereby to create quickly several thousands of known viruses.
<ref name="Attack prevent"/>{{rp|613–614}}
;Parasitic macro viruses
Most macros viruses are stand-alone; they do not depend on other macros (for the infectious part of the virus, not for the replication for some viruses), but some macros viruses do. They are called parasitic macros.<ref name="Attack prevent"/>{{rp|614–615}}
When launched, they check other macros (viruses or not), and append their contents to them. In this way, all of the macros became viruses.
But, this type of macro can not be spread as quickly as stand-alone macros.
Indeed, it depends on other macros, so, without them, the virus can not be spread. So, parasitic macros often are hybrid: they are stand alone and they can infect other macros.
This kind of macro virus poses real problems to the [[Virus scanner#Signature-based detection|virus-specific]] anti-virus; in fact, they change the content of other viruses, so that accurate detection is not possible.
==== Suboptimal anti-virus ====
There are different types of anti-virus (or scanners), one is the [[heuristic analysis]] anti-virus which interprets or emulates macros.<br />
Indeed, to examine all branches of macros require a [[NP-complete]] complexity<ref name="Attack prevent"/>{{rp|605}} (using [[backtracking]]), so in this case, the analysis of one document (which contains macros) would take too much time. Interpreting or emulating a macro would lead to either [[False positive#Type I error|false positive]] errors or in macro viruses not detected.
Another type of anti-virus, the [[Integrity checker#Integrity verification|integrity checker]] anti-virus, in some cases, does not work: it only checks documents with extensions DOT<ref>[http://www.file-extensions.org/dot-file-extension DOT extension]</ref> or [[Microsoft Word#Filename extensions|DOC]] (indeed, some anti-virus producers suggest to their users), but Word documents can reside in others extensions than those two, and the content of the document tends to change often.<ref name="Attack prevent"/>{{rp|605}}<br /> So, like the [[heuristic analysis]], this can lead to [[False positive#Type I error|false positives]] errors, due to the fact that this type of anti-virus checks the whole document.<br />
The last type of anti-virus seen will be the [[Virus scanner#Signature-based detection|virus-specific]] scanner.<ref name="Attack prevent"/>{{rp|608}} It searches the signature of viruses, so, the type of anti-virus is weaker than the previous ones.<br />
Indeed, the viruses detected by [[Virus scanner#Signature-based detection|virus-specific]] scanners are just the ones known by the software producers (so, more updates are needed than in other types of scanners). Moreover, this type of anti-virus is weak against morphing viruses (cf.[[#Different types of macros viruses|section above]]). If a macro virus change its content (so, its signature), it cannot be detected any more by the [[Virus scanner#Signature-based detection|virus-specific]] scanners, even if it is the same virus doing the same actions. Its signature does not match the one declared in the virus scanner.
Additional to the responsibility of the anti-virus is the user's responsibility: if a potential macro virus is detected, the user can choose what to do with it: ignore it, [[Quarantine (computing)|quarantine]] it or destroy it, but the last option is the most dangerous.<br />
The anti-virus can activate some destructive macro viruses which destroy some data when they are deleted by the anti-virus.<br />
So, both virus scanners and users are responsible for the security and the integrity of the documents/computer.<br />
Moreover, even if the anti-virus is not optimal in the virus detection, most macro viruses are detected and the progression in virus detection improves but with creation of new macro viruses.
==Version history==
Line 67 ⟶ 164:
As of July 1, 2007, Microsoft no longer offers VBA distribution licenses to new customers. Microsoft intended to add .NET-based languages to the current version of VBA ever since the release of the [[.NET Framework]],<ref>{{cite web|url=http://blogs.thinktecture.com/cnagel/archive/2005/09/14/414225.aspx|title=Visual Studio for Applications|url-status=dead|archive-url=https://web.archive.org/web/20071217064436/http://blogs.thinktecture.com/cnagel/archive/2005/09/14/414225.aspx|archive-date=2007-12-17}}</ref> of which versions 1.0 and 1.1 included a scripting runtime technology named ''Script for the .NET Framework''.<ref>{{cite web|url=http://msdn.microsoft.com/en-us/library/ms974548.aspx|title=Introducing Visual Studio for Applications|website=msdn.microsoft.com}}</ref> Visual Studio .NET 2002 and 2003 SDK contained a separate scripting IDE called ''Visual Studio for Applications'' (VSA) that supported VB.NET.<ref>{{cite web|url=http://msdn.microsoft.com/en-us/library/ms974577.aspx|title=Script Happens .NET|website=msdn.microsoft.com}}</ref><ref>{{cite web|url=http://redmondmag.com/news/article.asp?EditorialsID=126|title=Microsoft Takes Wraps Off VSA Development Technology|url-status=dead|archive-url=https://web.archive.org/web/20071217062427/http://redmondmag.com/news/article.asp?EditorialsID=126|archive-date=2007-12-17}}</ref><ref name="VSA">{{cite web|url=http://www.codeproject.com/csharp/vsascripting.asp|title=VSA scripting in .NET|url-status=dead|archive-url=https://web.archive.org/web/20070211180713/http://www.codeproject.com/csharp/VsaScripting.asp|archive-date=2007-02-11}}</ref> One of its significant features was that the interfaces to the technology were available via [[Active Scripting]] ([[VBScript]] and [[JScript]]), allowing even .NET-unaware applications to be scripted via .NET languages. However, VSA was deprecated in version 2.0 of the .NET Framework,<ref name="VSA" /> leaving no clear upgrade path for applications desiring Active Scripting support (although "scripts" can be created in [[C Sharp (programming language)|C#]], [[VBScript]], and other .NET languages, which can be [[compiler|compiled]] and executed at run-time via [[library (computing)|libraries]] installed as part of the standard .NET runtime).
Microsoft dropped VBA support for [[Microsoft Office 2008 for Mac]].<ref>{{cite web|url=http://www.macworld.com/news/2006/08/07/msuniversal/index.php|date=2006-08-07|work=[[Macworld]]|title=WWDC: Microsoft updates Universal status of Mac apps|access-date=2007-05-25|archive-date=2008-07-19|archive-url=https://web.archive.org/web/20080719162641/http://www.macworld.com/news/2006/08/07/msuniversal/index.php|url-status=dead}}</ref><ref>{{cite web|url=https://products.office.com/en-us/microsoft-office-for-home-and-school-faq|title=What is Microsoft Office and Office 365 – FAQs}}</ref> VBA was restored in [[Microsoft Office for Mac 2011]]. Microsoft said that it has no plan to remove VBA from the Windows version of Office.<ref>{{cite web|url=https://blogs.msdn.microsoft.com/vsto/2008/01/16/the-reports-of-vbas-demise-have-been-greatly-exaggerated|title=The Reports of VBA's Demise Have Been Greatly Exaggerated}}</ref><ref>{{cite web |title=Clarification on VBA Support |url=http://blogs.msdn.com/excel/archive/2008/01/16/clarification-on-vba-support.aspx |url-status=dead |archive-url=https://web.archive.org/web/20080411025937/http://blogs.msdn.com/excel/archive/2008/01/16/clarification-on-vba-support.aspx |archive-date=2008-04-11}}</ref>
With [[Office 2010]], Microsoft introduced VBA7, which contains a true pointer data type: LongPtr. This allows referencing 64-bit address space. The 64-bit install of Office 2010 does not support common controls of MSComCtl (TabStrip, Toolbar, StatusBar, ProgressBar, TreeView, ListViews, ImageList, Slider, ImageComboBox) or MSComCt2 (Animation, UpDown, MonthView, DateTimePicker, FlatScrollBar), so legacy 32-bit code ported to 64-bit VBA code that depends on these common controls will not function. This did not affect the 32-bit version Office 2010.<ref>{{cite web|url=http://msdn.microsoft.com/en-us/library/ee691831.aspx|title=Compatibility Between the 32-bit and 64-bit Versions of Office 2010|website=msdn.microsoft.com}}</ref> Microsoft eventually released a 64-bit version of MSComCtl with the July 27th, 2017 update to Office 2016.<ref>{{cite web|url=https://learn.microsoft.com/en-us/officeupdates/monthly-channel-2017#version-1707-july-27|title=Release notes for Monthly Channel releases in 2017|website=learn.microsoft.com|access-date=2022-11-13}}</ref>
| |||