Microsoft To Block Internet Macros By Default in Five Office Applications

In one of the most impactful changes made in recent years, Microsoft has announced today that it will block by default the execution of VBA macro scripts inside five Office applications. From a report: Starting with early April 2022, Access, Excel, PowerPoint, Visio, and Word users will not be able to enable macro scripts inside untrusted documents that they downloaded from the internet. The change, which security researchers have been requesting for years, is expected to put a serious roadblock for malware gangs, which have relied on tricking users into enabling the execution of a macro script as a way to install malware on their systems. In these attacks, users typically receive a document via email or which they are instructed to download from an internet website. When they open the file, the attacker typically leaves a message instructing the user to enable the execution of the macro script. While users with some technical and cybersecurity knowledge may be able to recognize this as a lure to get infected with malware, many day-to-day Office users are still unaware of this technique and end up following the provided instructions, effectively infecting themselves with malware.

Why did it take so long?

[UnknownSoldier]

Why did it take so long? This has been a known issue for decades.

Re:Why did it take so long?

[shanen]

Interesting question. I think it sort of made sense for some spreadsheet contexts where only the latest results matter and you reasonably want the macros to update to the latest results every time the file is used. Having to confirm running the macros every time would be a nuisance in those situations.

But in general it has been a disastrous default (unless you're a malicious scammer, of course). There's a logical mismatch there. People tend to and even prefer to think of files as static objects, which is not true when the file is doing all sorts stuff without so much as a "By your leave".

Re:Why did it take so long?

[benjymouse]

Having to confirm running the macros every time would be a nuisance in those situations.

Eh? The current state is that you *will* be prompted before execution of macros from any document downloaded from Internet or received through a mail program. That's how it works now.

You need to unblock (remove the "from Internet" taint) the document before you can run macros. Until then, a document with the "internet taint" is also opened in a sandboxed version of the application (low integrity mode strips away writing permissions to the file system and more).

This change is that you will not be *prompted*. The macros will silently be blocked. No prompt. Which is better, because social engineering techniques can be deployed to make the target *want* to unblock the document.

Re:

[gweihir]

The problem is that you may need those macros to run. At the same time the macro functionality is messed up and macros in frigging office documents can attack you.

Re:

[shanen]

Thanks for the clarification of the situation. I better clarify that I mostly avoid Microsoft documents whenever possible. Dare I say hearsay evidence swayed me? Most of my complicated macro programming goes WAY back.

Re:

[michelcolman]

I've got a few spreadsheets with macros that I share with members of a club. Now they will have to jump through all kinds of hoops to edit the document to remove the "internet taint" (which I assume will also apply to documents received by e-mail). Just great...

Why is it so difficult for MS to just restrict certain commands that could be dangerous? If a macro just rearranges cells, performs calculations, perhaps even downloads data from a website to certain cells, what's wrong with that? Just don't let it t

Re:

[jbmartin6]

All you have to do is make an untagged copy using 'save as'. Not too bad, but still a hoop.

Re:

[ChoGGi]

Put them in a self-extracting exe, that'll create safe practices.

Re:

[gweihir]

Not really. Updating the things in the spreadsheet is one thing and not a malware-risk for the system. Writing the file-system or opening links in a browser or the like is quite another. MS fucked this up completely, plain and simple, and they have been refusing to fix it up until now. I expect somebody with enough clout threatened them.

Re:

[jbengt]

Not really. Updating the things in the spreadsheet is one thing and not a malware-risk for the system. Writing the file-system or opening links in a browser or the like is quite another. MS fucked this up completely, plain and simple, and they have been refusing to fix it up until now.

This doesn't completely stop the malicious-writing-to-the filesystem problem, and it breaks macros that only update "the things in the spreadsheet", so I would say they are still refusing to fix it.

Re:Why did it take so long?

[Valgrus Thunderaxe]

Excel (and Access to a lesser degree) are so ingrained in corporate culture. These have almost become something like a programming language for business people. They've expanded way beyond the scope of what one would normally expect of a spreadsheet or simple database.

Re:Why did it take so long?

[MeNeXT]

This is true with a small minority of users. Most users get lost as soon as the GUI changes. They get familiar with the new GUI and it starts all over again with the next release. It's unbelievable how many support calls I get with people in a panic because they blindly pressed OK. Yes these apps are ingrained and it is these apps that are the most likely avenue of infection.

All documents received from the Internet should require they be saved first and a user password entered in order to execute any script.

Now why am I complaining I make a killing on this?

Re:

[gweihir]

All documents received from the Internet should require they be saved first and a user password entered in order to execute any script.

That is the wrong solution. Scammers will still get people to do that. The right solution is to restrict scripting in documents so that they cannot attack your system.

Re:

[Tablizer]

Because PHB's complain when their crapWare doesn't work like they are used to, and they pay the MS bill. Money talks louder than sanity.

Re: Why did it take so long?

[Anonymouse Cowtard]

The more pertinent question is how long until there's a registry hack that re-enables macros?

Re:

[Daina.0]

Yet another reason why I hope M$ NEVER offers their products on Linux.

Re:

[Narcocide]

Either the people who paid them to play dumb stopped paying, or someone outbid them.

Re:

[jbmartin6]

The option to disable macros in Internet zone has been available for years, this change is to make it the default. My org toggled it on years ago and there was much rejoicing. It was a good experience, getting the macros to be available was simple for those few cases where we needed them on an external document. Just 'save as' to make a local copy that won't be tagged as Internet, and you can enable macros as usual.

Re:

[jbengt]

My question is why does MS put macros that write external files in the same boat as macros that only manipulate the document containing it and only using that document's object model?
Also, since the work server I'm connected to is technically using an IP address, does this mean that no macros will work on those documents? (Permissions do not allow me to make the Projects server a trusted location)

Brain fart

[shanen]

'Nuff said.

Trying to fix stupid

[Registered Coward v2]

Probably better than nothing. I have developed some things for clients using VBA macros and send them the file. I hope this won't stop them from executing them. MS will probably build in some "Trust This File" capability, which malware spreaders will simply add to their "Do this" script. You can't fix stupid because the stupid can be very ingenuous.

Re:

[Mascot]

"Trusted locations" has been a setting for a long time. I expect an influx of support cases when they roll this out. I probably have a dozen or more business critical VBA solutions floating around out there, and likely a roughly equal amount of customers who did not listen when I mentioned that setting on delivery years ago.

Re:

[jbmartin6]

But how many of those solution are in documents that have been tagged as Internet zone aka 'mark of the web'? My org has had this macro blocking option enabled for years, it hasn't been much of a problem, and it has prevented heaven knows how many macro attacks.

Re:

[Mascot]

Based on the flowchart in TFA, it doesn't look like that's relevant.

I wouldn't be surprised if they are, though. The solutions typically live in a database as templates, downloaded either via native desktop client or web interface for each use.

Re:

[jbmartin6]

It's the very first element in the flowchart, the 'MOTW' attribute.

Re:

[Mascot]

Blimey, right you are. That acronym has never entered my vocabulary and my brain appears to have just edited it out as meaningless. No worries then, presumably. The desktop client would have no reason to set that, and the web interface uses a plugin for document operations so presumably that would be fine as well.

Re:

[jbengt]

Every one of the documents on our small business server gets "tagged as internet zone". Every time I open a document from our server, whether working remotely or in the office, I have to click "Enable Editing", and if it has macros I have to click to enable them. Marking a folder in the server as trusted just brings up a message saying that the location you have chosen cannot be made trusted for security reasons.
I believe that macro-laden documents from the internet can still be saved-as to a trusted loc

Re:

[jbmartin6]

I'd like to see them start trimming the macro attack surface too. Why on earth does a VBA macro need to ability to call any Windows API?

Re:

[omnichad]

Right-click the file and go to properties. Click Unblock. It's been that way for like 10 years. I have no idea why they have this Untrusted file concept and have not immediately gone to blocking Macros and everything else.

Re:

[Registered Coward v2]

Right-click the file and go to properties. Click Unblock. It's been that way for like 10 years. I have no idea why they have this Untrusted file concept and have not immediately gone to blocking Macros and everything else.

Yea, I know that, but thanks. My concern was they somehow do away with that or make it much more difficult when you save as an Excel file with Macros..

Re:

[Radical Moderate]

Yeah, I don't know how you fix this. If there's any way for users to enable macros, scammers will tell their victims how to do it. If there isn't a way to enable macros, a lot of stuff breaks. The solution is smarter users, but....

Re:Trying to fix stupid

[fermion]

It is not fixing stupid. It is fixing the fact that MS products are insecure by design. Back 25y ears ago I opened an email in Outlook and infected the entire network. It was not that I was stupid, it is that MS stapled on a network OS on top of a desktop OS with no regard to how the two would interact. Outlook not so good, for those who remember.

change from the click to turn off protected mode?

[Joe_Dragon]

change from the click to turn off protected mode?

User Training

[Retired Chemist]

This seems to me to be as much an issue with user training as anything. Companies seem to be reluctant to spend money on cyber security. More training and better internal security would go a long way. Every time I open a file from email, I get a message about the dangers of files from the internet, even ones I sent myself. Apparently, most users cannot read.

Re:

[Greeneland]

I used to work at a place that had regular security training. Sometimes it wasn't mandatory and would be preceded by suspicious emails, and if you fell for it, you were required to take it.

Re:

[jbengt]

I used to work at a place that had regular security training. Sometimes it wasn't mandatory and would be preceded by suspicious emails, and if you fell for it, you were required to take it.

My son's place of work does that and he fell for it once. He was pretty embarrassed.

Now, if we could only do that to the president and owner of the company I work for. As far as I know, she is the only one who has infected our network by clicking on bad links and opening attachments to suspicious e-mails, and she's d

I bet they will mess it up

[gweihir]

This move has been long overdue. The original inclusion of far too powerful scripting was a mess-up of epic proportions.

Bit I will be really surprised of this solves the issue. MS has a track record of doing the wrong thing, half-assing it and not understanding how its own software works. My predictions is that attackers will take less than a month to get around this limitation.

Not the real problem is not having some scripting ability in documents. PostScript and PDF both have that or rather the whole document format is a script. The real problem is that MS did not create a sandbox that prevents documents from infecting your machine.

Almost 22 f**king years before ...

[NZheretic]

Safe(r) Scripting [markmail.org]

Whistler to include 'block all unsigned apps' security mode [google.com]

Virus and Microsoft [google.com]

Microsoft has made $BILLIONS from their crap

[tom_asdf]

It pisses me off that Bill Gates, Steve Ballmer et al, have made $billions selling crappy products with major defects over multiple decades.
Stockholm Syndrome has kept the money rolling in for Microsoft.

Office

[ledow]

20+ years too late.