Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Microsoft Security

Microsoft Still Plans To Block Office Macros By Default After Temporary Rollback (theverge.com) 25

Microsoft is still planning to block Visual Basic for Applications (VBA) macros by default in Office apps. From a report: The software giant rolled back planned changes last week, surprising IT admins who had been preparing for Microsoft to prevent Office users from easily enabling macros in Office files downloaded from the internet. The change, designed to improve security in Office, was supposed to go live in June before Microsoft suddenly reverted the block on June 30th. "Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability," explains Kellie Eickmeyer, principal product manager at Microsoft, in a blog post update. "This is a temporary change, and we are fully committed to making the default change for all users."
This discussion has been archived. No new comments can be posted.

Microsoft Still Plans To Block Office Macros By Default After Temporary Rollback

Comments Filter:
  • by gweihir ( 88907 ) on Monday July 11, 2022 @12:05PM (#62693580)

    MS basically can decide between staying the number one facilitator of cyber-crime of the ransomware-variant by letting macros run (macros are not the problem, the absence of any reasonable security concept in VBA is) and hence costing their customers billions and killing some of them outright or the can break a lot of stuff, including some really basic functionality you cannot get via the GUI.

    Well, MS has accumulated technological debt in Office, Windows and VBA for decades. As a result, the house of cards they built is now crumbling and there is no way to fix it.

    • by Anonymous Coward

      It's not like the problems came out of the blue. It's not even honest tech debt accruement. Bets were taken right at introduction: How long until this gets weaponised? Days, not even weeks.

      It's only taken them how many years to start trying to deal, a little? They ought to have done better and they were in a fine position at the start to do it; the knowledge was available and they had the opportunity, but declined. No sympathy for their floundering now. It's gotten stale years ago.

    • by PPH ( 736903 )

      or the[y] can break a lot of stuff, including some really basic functionality you cannot get via the GUI

      The really smart developers, ones with no nefarious intentions, looked at this situation many years ago. They reasoned that, although VBA gave them a powerful API and scripting engine, the party just couldn't last. And so they had better plan an exit strategy. Those people already have a fix and I'm not worrying about them. The only ones left are the ransomware people and the ones who were too stupid to realize that the barn door was not going to be left ajar forever. Both can curl up and die as far as I'm

    • by jbengt ( 874751 )

      (macros are not the problem, the absence of any reasonable security concept in VBA is)

      This, exactly.
      A macro in a Word template that searches and replaces text based on user input can save a ton of editing. And a user-defined VBA function to use in a spreadsheet can be very useful.
      But Microsoft's VBA is able to create binary files, write to them, and execute them. And it's an all-or-nothing thing - I can't have the functionality I need while not allowing VBA to do everything it might.
      The other thing -

      • by gweihir ( 88907 )

        But Microsoft's VBA is able to create binary files, write to them, and execute them. And it's an all-or-nothing thing

        Yes. There is a special place in CS hell for whoever thought this was a good idea. What astonishes me is that they apparently cannot just limit what VBA can do in the filesystem, but have to switch it off completely instead. Has MS lost the ability to change what VBA can do or did they never have it? It cannot be that hard to, say, prevent all filesystem write access and prevent execution of external programs. Or to prevent all filesystem access including execution of external programs.

        Or maybe it _is_ that

      • The other thing - VBA might become almost useless in our office with this. Every file I open from our small office server, whether working from home or directly connected to the network at the office, gets the warning banner "Be careful - files from the internet can contain viruses. Unless you need to edit, it's safer to stay in Protected View." I'm assuming that nothing in our network will be trusted.

        Your office server, or one shall say the client computers that the server supposed to serve, missed some configuration [stackoverflow.com]. Thus your office computers don't know that server is part of the "Local Intranet".

        Yes, the location of this setting is in "Internet Explorer", a Microsoft program that is retired now. Have fun figuring why they put an OS-wide setting into the browser.

        • by gweihir ( 88907 )

          Yes, the location of this setting is in "Internet Explorer", a Microsoft program that is retired now. Have fun figuring why they put an OS-wide setting into the browser.

          Is there anything where MS does not disappoint with bad design and incompetence? These people seem to be unable to get anything right.

  • How long has this been a known threat?
    • It was seen as a security threat back when I was in high school in 2005.
    • The early/mid 90s when they started adding VBA to office applications.

      • by ewhac ( 5844 ) on Monday July 11, 2022 @02:54PM (#62694142) Homepage Journal

        We have a winner.

        Word macro viruses starting becoming a significant problem around 1993. Most of them just copied themselves into all the documents you opened (overwriting any other macros that might already be there). Recall that, in 1993, networking of PCs was relatively unusual, so the major path of propagation for Word viruses was the exchange of floppy disks. And even with that slow, cumbersome transmission method, Word viruses became a major problem.

        The Word macro virus issue basically served as one of the earliest existence proofs that embedding a Turing-complete scripting language into what is putatively a document -- and running those scripts by default -- was a fscking stupid idea. And yet, raging [wikipedia.org] idiots [javascript.com] keep [wikipedia.org] doing it. [ethereum.org]

        • The demand of scripting is there and any effort to block it is destined to be circumvented. It doesn't matter how stupid you think it is.

          The solution is not banning people from having scripting or banning people from downloading / opening files given by outsiders. The solution is proper permission system for each individual capability.

          • by ewhac ( 5844 )

            The solution is proper permission system for each individual capability.

            Well, ya say that -- and it would indeed be a big help -- but all you have to do is look at the Android ecosystem to realize that model has flaws, particularly in an environment where users either don't understand what the permissions mean, or don't bother to review them.

            And so, when confronted with unknown or known-dangerous software, the responsible approach is to Fail Safe -- deny access/execution until the user has had a chance to

  • VBA is self-contained, without any stupid requirement of an online server to host the script. As long as Microsoft refuse to provide a fully offline friendly solution, VBA functionality cannot be truly superseded.
  • Late AF (Score:4, Interesting)

    by backslashdot ( 95548 ) on Monday July 11, 2022 @12:39PM (#62693672)

    They should have done this in 1994 right after Joel McNamara showed the proof of concept. Instead, they waited around even after Concept (1995) and Melissa (1999) and subsequent ones in the 2000s.

    • It was 1994. Their CEO was joking, "do you think people are going to pur URLs in advertisement?" Microsoft thought it was a swell idea to have Browser Helper Objects (basically windows binary executables) to be downloaded from the net and run it locally with all the privileges of root.

      Good security procedures existed back then. Honed in university unix systems, where every student fantasized about logging into the records server and awarding himself/herself straight As. But security is inversely proportio

      • You can do plenty of damage just running as a standard user, even in Linux. Most of the important stuff is user files. OS and program files can easily be replaced by reinstalling from scratch. Recovering user data that hasn't been backed up properly.

        Also, it's not just Microsoft that "never imagined to be a working in adverse environment". Just look at how email works. There's no provisions in the original email spec to validate who the message is coming from. The "from" portion of email is just a piece of

        • You can only really prove someones id electronically using public private key (assuming their keys havent been stolen) and while RSA existed back then ordinary machines wouldn't have had the horsepower to verify every email as they arrived.

        • Mail E or snail never had any pretensions of authentication.

          USPS will happily accept mail from you where you can write From: The President of the United States, 1600 Pennsylvania Ave, Suite West Wing, Washington DC It is not illegal. At best the recipient can show it as evidence of "intent to deceive" that is all. So no one expected e-mail to be any form of secure communication. But the computer, where student grades are processed had user accounts for the same students. There was an expectation of securi

  • Some big corporation must have created an automated solution that requires the download of word or excel files from a server before it runs. And probably it ties down a big chunk of their operation so they didn't have a quick solution to replace it with.

    I can imagine it clearly!!
  • by 93 Escort Wagon ( 326346 ) on Monday July 11, 2022 @01:21PM (#62693806)

    I mean, come on - while the base language has changed, we've known about the security issues with Office macros for coming up on three decades now.

  • Here's why this is complex:
    1. The enterprise has hundreds of legacy VBA macros, each one running mission-critical Production processes.
    2. Companies are determined to sunset every single one of these VBA macros. However ...
    3. It would cost far too much money, time, and design effort to re-write all those macros on another platform (pick your poison there, whether it be Java, Python, or some other), and in the meantime, the business depends on them. Remember, proper replacement means new UI design, new datab

    • by ewhac ( 5844 )

      First off, if you have anything mission-critical that's written in VBA, you did a dumb. You BASICally baked technical debt into your "solution" from the outset, and you've been getting off on the cheap all these decades. Well, that debt has come due.

      Second: The idea that a security hole the size of Betelgeuse needs to remain open so that the organization can avoid the cost of re-writing its code to no longer need that hole... Well, let's just say regulators and shareholders won't be impressed when you

If you have to ask how much it is, you can't afford it.

Working...