STUPID Microsoft U-Turn: Unblocks Malicious Macros in Office
Microsoft stunned security professionals by reversing a change that prevents Office from auto-running macros. So don’t expect the malware problem to improve any time soon.
Yes—amazingly—even though we’ve known about this problem for 25 years or so, Microsoft still doesn’t block these dangerous things by default when they’ve been downloaded from the wild, wild web. To make matters worse, Redmond made its volte face without telling anyone—or at least not with the same self-aggrandizing pomp it employed back in February when it let us know it will be blocking macros.
It’s the age-old tension of security vs. ease of use. In today’s SB Blogwatch, we blame lazy customers and lazier product management.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Justin makes pictures move.
VBA FAIL 365
What’s the craic? Sergiu Gatlan reports—“Microsoft rolls back decision to block Office macros by default”:
“Microsoft ‘doesn’t have anything more to share’”
While Microsoft announced earlier this year that it would block VBA macros on downloaded documents by default, Redmond … will roll back this change based on “feedback.” … The company has also failed to explain the reason behind this decision and is yet to publicly inform customers.
…
The change began rolling out in Version 2203 … in early April 2022, with general availability to be reached in June 2022. … This was a welcome and highly expected change, given that VBA macros are a popular method to push a wide range of malware … via phishing attacks with malicious Office document attachments. With VBA macros blocked by default, everyone was expecting attacks … to be automatically thwarted.
…
In response to our questions as to why they are rolling back this change, a spokesperson told us Microsoft “doesn’t have anything more to share.”
What are these “VBA macros”? ELI5? Matthew Gooding explains like we’re five—“Change of heart is likely to boost cybercriminals”:
“A boost for ransomware gangs”
In February, Microsoft announced it would make … small programs embedded in word documents … more difficult to execute in documents downloaded from the web. … The change of heart from Microsoft has left some cybersecurity experts baffled.
…
Widely deployed malware such as Emotet, TrickBot and Qbot have all been spread … using malicious macros embedded in documents. … In February, Microsoft explained that it was making it even harder to activate them by removing the “one click” activation option which currently appears at the top of documents. … Instead users would have to enable them via the document’s properties: … “We will continue … to make it more difficult to trick users into running malicious code via social engineering while maintaining a path for legitimate macros to be enabled.”
…
The news is likely to be a boost for ransomware gangs like … Emotet, TrickBot and Qbot.
Say it ain’t so! Simon Sharwood says it’s so so—“Microsoft rolls back default macro blocks in Office without telling anyone”:
“The problem kept getting worse”
The potential for such attacks is hardly new. The infamous Melissa virus rampaged across the world’s mail servers in 1999 thanks to malicious macros embedded in a Word document. Things got worse over the years, so in 2016 Microsoft … stopped running macros without first asking users if they really wanted to do so.
But the problem kept getting worse. So … Microsoft decided to block macros by default in Access, Excel, PowerPoint, Visio, and Word, explaining that the change made Office “more secure and is expected to keep more users safe.”
tl;dr? A former ’Softie, Kevin Beaumont—@GossiTheDog—obliges thuswise:
“I smell shenanigans”
The single most impactful change Microsoft could have made to radically improve a real world cybersecurity issue in their own back garden (that they directly profit from) was rolled back without even being communicated. … To say I’m disappointed is an understatement.
…
Windows and Office should be shipping the gold standard of secure-by-default products. … I want to give the Office team credit for trying to get this change through. They tried to do the right thing. … It’s even been through all the preview channels etc for months and a gradual rollout over a month in Current.
…
[Not] great it suddenly got yanked. … I smell shenanigans. [But] It could be a mix of issues, including usability, but it’s really important it is understood and that’s there’s real focus at MS about how they intend to re-approach the problem. … We’ll see if [they] are allowed to re-approach it.
But why? u/BlackV has opinions:
Some billion dollar company said, “We can’t be bothered fixing our stuff. If you don’t reverse this we will be … closing our 365 subs.”
More detail plz? MaverickX009 feels the need—the need for more: [You’re fired—Ed.]
“Backlash was too extreme”
Enterprise customers were too vocal in this decision, causing Microsoft to backtrack. … This is mainly [because] a big enough majority [of] enterprise customers are too lazy and cost conscious to create and provide proper training … and value ease and efficiency over security, with them mainly telling employees not to open suspicious files etc. Unfortunately not all associates are tech savvy (who would have figured that is still a problem in this day and age?)
…
Ultimately enterprises only have themselves to blame, but would rather continue the trend, and this is one time I wish Microsoft would not have caved in. But I guess the negative backlash was so extreme … that Microsoft decided to backtrack—at least until they can find a better way.
“Negative backlash,” you say? How about this example, from a slightly sarcastic yrzhl?
“Thanks for the brilliant idea”
Another terrible update idea from Microsoft.
I made my own excel macro enabled document and put it on office server. I made it available offline from my laptop and after the update (Version 2205), I just received this information and the macro document showed me the security risk banner instead of security warning which I can enable macro. This is very frustrating as I made the macro for my co-workers to update stock document easily.
…
I also can’t find the security and unblock check box … also tried to adjust some setting in trust center, tried to add trusted locations to my server by IP but it’s not allowed by excel. None of the solution works on me.
…
Thanks for the brilliant idea Microsoft!!!
Spreading the blame around, a depressed-sounding Pascal Monett calls it “Typical Borkzilla”:
Companies these days have the attention span of goldfish. Oh, a new idea! Let’s implement without thinking about its impact! And we need to implement Agile, because that means we’re professionals!
Our society has completely lost the notion of stability and continuity. I don’t see that changing any time soon.
Okay, so how can we turn it back on for our organization? u/NNTPgrip’s got news for us:
GPOs or Intune (Endpoint Manager) if on AzureAD. Manually on a single machine via the Trust Center in Office Options or look up the registry equivalent of the GPO setting.
Meanwhile, the infamous Marcus Hutchins eyerolls furiously:
Looks like Microsoft has blessed us all with more job security.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Geraldine Le Meur (cc:by; leveled, cropped and macroed)
