Yes, there are security issues, and potentially very serious. But first, an explanation of the security levels in Excel.
Levels of Safety
As you may have already noticed, when creating any code VBA in an Excel spreadsheet (that is, it does not even need to be something that runs automatically in the spreadsheet opening event), Excel requires you to save the file with a specific extension (*.xlsm = macros enabled workbook). Also, when the file is opened Excel prompts (by default) the user to allow or not to execute the macros:
This option is the default mode because Excel seeks to ensure user safety. But it can be changed. To do this, go to the "File" menu, choose the "Options" item and select the "Reliability Center" item in the window that will be displayed:
Then click the "Reliability Center Settings" button and select the "Macro Settings" item in the new window that appears:
As you can see, there are four (4) distinct options for you to choose as to how Excel should handle macros security. They are (in free translation of documentation):
Disable all macros without notification. Click this option if you don’t trust macros (they are very bad! rs). All macros in documents and security alerts about them will be disabled. If there are documents that contain unsigned macros that you trust, you can place them in a trusted location. Documents in trusted locations are allowed to run without security system verification Trust Center.
Disable all macros with notification. This is the default setting. Click this option if you want macros to be disabled, but want to receive security alerts if there are macros present in the document. This way, you can choose when to enable macros in each document you open.
Disable all macros except digitally signed macros. This setting is the same as the option Disable all macros with notification, except that if the macro is digitally signed by a recognized publisher, the macro can be executed if you have already trusted the publisher. If you have not trusted the publisher yet, you will be notified. This way, you can choose when to enable signed macros or trust the publisher. All unsigned macros are disabled without notification.
Enable all macros (not recommended; possibly dangerous codes can be executed). Click this option to allow all macros to be executed. Using this setting you leave your computer vulnerable to potentially malicious code and so it is not a recommended attitude.
There is also the option of "Rely on access to the object model of the VBA project", which is intended for developers to be able to access the VBA object model and thus be able to build code dynamically. It is even more dangerous if marked, but I explain in detail below.
Why is it dangerous?
Excel is a software tool installed on your computer. Unlike a Javascript code, for example, that has not direct access to your computer (to disk files, for example), since the whole structure of the language was created thinking about it, the VBA was made to allow the automation of spreadsheets, presentations, databases, finally any product of the Microsoft Office system. And everything runs locally. That’s why VBA have yes local access. You can create or delete files, access Internet sites, send emails, etc (just to name a few examples).
It’s okay that you trust the VBA code you made. But the user will use other spreadsheets, possibly from very diverse sources. Who makes sure that one of them doesn’t have malicious code that, for example, erases all the files from the user’s disk? Excel tries to help by preventing the user from performing anything he does not know. As you saw earlier, there is a setting to eliminate this "hassle" of asking. But it is not made for each file, it is made for the whole system! Thus, if you release the execution of your code, it will release the execution of any code. Including potentially malicious ones (which can erase information from disk or even self-replicate in other files, if the option to provide access to the object model is selected - because, in this case, a VBA code may even create or delete another VBA code, in the file itself, or in others you find on the disk). And, worse, this will all be executed silently, because Excel will always allow the macro to run without telling the user that there is something running.
One could argue that the user will hardly open
any spreadsheet other than the ones he actually uses on a day-to-day basis,
when in a work environment. But this is not at all true. He
can download from the Internet that cool spreadsheet with the table of
Brazilian Championship to open at lunchtime, or a spreadsheet "innocent"
that just helps make the Mega Sena pool. And we can’t
forget that there have been many cases of hackers much more apt in
social engineering than computing, which simply pretended to have a
Pretty good resume to get an interview at that inaccessible company,
to then ask permission to go to the bathroom and leave a media with code
malicious and the label "Payroll" on the drinking bottle. Curious users are very useful to help attack a company from the inside. :)
If you are building something really professional, the ideal is to hire the service of a digital signature server and sign your Excel file so that the macro is signed and reliable. So you can use option 3 safely, and on top of that pass credibility to your customer. I never needed to sign a macro, so I don’t know how it works. But there is information in the Microsoft documentation.
Luis, grateful for the answer, I believe that the server service will solve my problem in a close Future!
– Leo