Feeds

Viva VBA - alas

Entrenched victory

SANS - Survey on application security programs

In the early 1990s when Visual Basic (VB) first infiltrated Excel to become Visual Basic for Applications (VBA), it helped push Microsoft's then-fledgling spreadsheet so far ahead of others that most people today are not aware many competitors even existed.

Lotus Development - since consumed by IBM - turned down a chance to incorporate VB into its groundbreaking 1-2-3 spreadsheet telling the ISV who offered the module: "We don't wish to endorse it."

It is by such decisions that whole businesses die.

Today VBA is a playground for virus writers because, unlike other ways to spread your filth, getting VBA to copy itself and change a few files is the work of just a few minutes for anyone with any programming experience. Hacking a .exe header in assembler is tougher. Microsoft's big cash cow Office is entirely customizable using VBA, yet one is presented with messages of the form "Outlook is really scared of VBA, and so should you be, do you really want to do this?"

It's little wonder, then, that the introduction of a new version of Office leads to speculation that VBA will be buried. But while it's already gone from Mac Office - because the poor dears at Microsoft found the effort of coding it up too hard - it's unlikely to vanish from Office for the PC for at least the next version.

The Vole may be evil but it is damned good at making money, and this is why VBA is not leaving Office any time soon.

VBA is firmly established in the majority of businesses, big and small, keeping them running and programmers gainfully employed.

VBA, for example, runs the world financial markets. The credit crunch happened mostly in the minds of Excel spreadsheets doing horribly complex calculations in a language designed to change formatting, or to capture and validate user input.

They are not even good VBA macros, the most common degree for the quants who do this is physics, not computer science, and those building macros have never even heard of version control, structured programming or been on any programming course since an introduction to Fortran years ago as an undergrad.

VBA in Word knocks up many of the world's form letters and there are many itinerant VBA hackers wandering from firm to firm keeping them going because they are often as critical to the business as something such as stock control. Flashy effects can be knocked up in PowerPoint and I, personally, would sink under the weight of email without Outlook macros.

There is Visual Tools for Office (VSTO), as Microsoft will tell you. These are properly architected and support all the .NET languages, with those on the madder end of user spectrum even trying it on with F#, but have a user base trivial in size compared to VBA.

Partly this is because VBA in Excel can actually be written by recording what you want to happen, then meddling to make it do other things. Not great code, but by far the easiest entry point for software development on the planet. So the physicist-quant-programmers mix in with secretaries, accountants, and, yes, even journalists.

With such utility and widespread use, Microsoft rightly fears removing VBA from Office because of the financial pain it would unleash. Although OpenOffice et al nibble at the edges of the cash flow, Office continues to grow almost oblivious to them.

3 Big data security analytics techniques

More from The Register

next story
Ubuntu 14.04 LTS: Great changes, but sssh don't mention the...
Why HELLO Amazon! You weren't here last time
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Next Windows obsolescence panic is 450 days from … NOW!
The clock is ticking louder for Windows Server 2003 R2 users
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
OpenBSD founder wants to bin buggy OpenSSL library, launches fork
One Heartbleed vuln was too many for Theo de Raadt
Got Windows 8.1 Update yet? Get ready for YET ANOTHER ONE – rumor
Leaker claims big release due this fall as Microsoft herds us into the CLOUD
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
prev story

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.