Not a bug: Outlook Forms run VBScript even when macros are disabled


The fact that you can put a VBScript program inside an Outlook Form and have it execute—even if Outlook has been told not to run macros—has been raising red flags this week. But in spite of what you may have read, that questionable behavior isn’t readily exploited. There’s no gaping security hole to see here. Move along.

Yesterday Richard Chirgwin at The Register wrote how a . The article points to research published late last week by . To make a long story short, yes it’s possible to write a VBScript program, attach it to an Outlook Form, and have the script do just about anything on a PC (“within the context of the logged-on user”) when the Form is used.

The script will run even if the Outlook Trust Center has been set to show “Notifications for digitally signed macros, all other macros disabled.”


That’s not great, but in and of itself it’s a relatively minor problem, which hinges on the definition of “all other macros.” Sensepost explains that the VBScript engine is “separate from the VBA Macro script engine.” Is a VBScript script inside a Form really a macro? You decide.