Microsoft Will Block Office Macros By Default Starting July 27 (techcrunch.com) 35
Microsoft confirmed this week that it will soon start blocking Visual Basic Applications (VBA) macros in Office apps by default after quietly rolling back the change earlier this month. From a report: In a new update, the technology giant said that it will start blocking Office macros by default starting from July 27. This comes shortly after Microsoft halted the rollout of the macros-blocking feature citing unspecified "user feedback." It's thought the initial rollout, which kicked off at the beginning of June, caused issues for organizations using macros to automate routine processes, such as data collection or running certain tasks. In a statement given to TechCrunch, Microsoft said it paused the rollout while it "makes some additional changes to enhance usability." The company has since updated its documentation with step-by-step instructions for end users and IT admins explaining how Office determines whether to block or run macros, which Office versions are affected by the new rules, how to allow VBA macros in trusted files and how to prepare for the change.
Um, ok (Score:4, Insightful)
Re: (Score:2)
And you can still use them. This change is about *files from Internet* or other untrusted locations, such as a file share accessed through an IP address.
For files retrieved from *trusted locations* this will not have any effect. Macros will still be able to run.
Re: (Score:2)
Why do I have a hunch that "trusted location" means "some server on the internet with a valid certificate" or similar bullshit that won't keep a single infection from happening but causes heaps of headaches for legitimate users?
Re: Um, ok (Score:3)
VS Code has something along these lines. You designate locations that are trusted and projects from a trusted location can do everything, but projects from other locations can't.
Re: (Score:3)
Why do I have a hunch that "trusted location" means "some server on the internet with a valid certificate" or similar bullshit that won't keep a single infection from happening but causes heaps of headaches for legitimate users?
The "from Internet" taint of files in Windows rely on the user agent. Mail clients and browsers are expected to "taint" files downloaded using the application. All browsers respect this, and I believe that all mail clients do so as well. But it really comes down to the program you use to download the file.
This ability to "taint" a file has been in Windows since Vista (at least).
Re: (Score:2)
In other words, if I download it using a PS script and don't "taint" it...
C'mon, seriously?
Re: (Score:2)
Yes, you can compromise an already compromised system. But at that point it doesn't matter.
Re:Um, ok (Score:4, Insightful)
Except that MS is incapable of accurately determining where files come from, and frequently forgets that a yes, for fuck's sake I want to edit this document.
Re: Um, ok (Score:2)
Re: (Score:3)
VB macros are pretty much the only reason to still use Office.
And? Continue using them like normal. If the document is from a trusted source, comes from withing your domain, is signed, is authored by someone from within your organisation, is manually permitted, or you set group policy to ignore this new change then they will run like they always have.
What's being blocked is macros run within documents from an untrusted location (e.g. internet, or share accessed via ip address rather than network name).
Re: (Score:2)
What's being blocked is macros run within documents from an untrusted location (e.g. internet, or share accessed via ip address rather than network name).
For the life of me, I swore they did that in like Office 2001.
Re: (Score:2)
No they stopped them from auto-executing and required user intervention, that's still in place today even for trusted sources. This will now *block* them, requiring complete reclassification of the file from untrusted to trusted, and then closing and re-opening said file.
i.e. That piece of malware riding along in that file someone downloaded from the internet no longer has an "enable" button.
"unspecified user feedback" (Score:1)
microsoft only listens to fortune 500 clients.
Google: There is no service we won't yank... (Score:2)
Re: (Score:3)
The difference, as usual, is that Microsoft isn't actually taking the functionality away. Microsoft rarely does that. They do sometimes let things languish until they're not practical to use any more, but that's not the same thing. You'll be able to click to enable your macros. This is a good move that's going to reduce the number of dumbshits who are infected by email. It won't eliminate them, because a percentage of those dumbshits will enable the macros, but it should still help.
Per link from TFA [microsoft.com], users
Oh? (Score:3)
With MS Office formats you can't automate outside the application, and then you can't automate from within it either.
Nice work.
Re: (Score:2)
Oh, you can still "automate". This takes away the ability to run macros for *files from Internet*. It does not take away the ability to run macros in documents you have authored yourself or retrieved from within your organization.
Re: (Score:2)
Trying to partition which bits of the internet are the organisation or partners to the organisation sounds like a nightmare since most things are hosted within three main outsourcing organisations.
Re: (Score:2)
Trying to partition which bits of the internet are the organisation or partners to the organisation sounds like a nightmare since most things are hosted within three main outsourcing organisations.
It's the browser or mail client that taints the file with it's "Internet origin" mark. Download a file using a browser or save a file received through an email and it will be tainted, unless you use some obscure mailclient or browser which does not follow the guidance.
Re: (Score:2)
While your critique is not really accurate, I do wonder why companies are still using VB for "business intelligence." There are so many easier ways today to manage data between the extremes of Excel and Oracle, why would you pick either dark end.
Re: (Score:2)
Well indeed, but when all you have is a hammer, everything looks like a nail.
Excel mostly gets in the way of automation, it is ok for displaying data but shouldn't be a producer in my view.
Re: (Score:2)
Completely agree. It is a hard lesson to learn though; so many things only give you 80%, and for the balance you need to export to excel. The stuff that really sucks puts excell in the middle of the workflow to glue different systems together.
Boy I wish there was an open source graphing engine that could functionally compete with Excel-- things like mixed-mode graphs and the level of customization!
Re: (Score:2)
I'd like to see governments move towards LO. Sometimes I find the regex functions in LO make random text work easier, particularly in vlookups.
Who pays for the ingest system is perhaps debatable. Data exchange often needs work on both sides, but I still wont be convinced that excel is a good place for it as that just shifts the burden of data sanitize to someone else.
Easy way out. (Score:3)
MS could simply improve Defender to recognize malicious vs legitimate macros and block the bad ones. There are other endpoint protection platforms that do this effectively. But I guess implementing something like that is too hard for MS.
Re:Easy way out. (Score:4, Interesting)
Re: (Score:2)
MS could simply improve Defender to recognize malicious vs legitimate macros and block the bad ones.
If we could identify malicious actions from intentional ones we wouldn't have malware. The problem is false positives. And no there are not other protection platforms that do this effectively, there are other platforms which are an outright fucking pain in the arse to legitimate users, or are useless to the point of irrelevance.
This change won't matter anyway, the only macros being blocked are in untrusted files. Anything you or someone in your organisation authors will run just fine. And if you want to sho
Question is, why can they not secure them? (Score:2)
I mean, it is pretty clear how: Either sandbox the whole thing and put all file-access (including execution) in a restricted, controlled and limited virtual file system. Or add some "secure" mode where macros cannot execute files, cannot write files and, as highest level, cannot read files.
But apparently MS cannot do anything like this, which would not restrict purely document-local macros at all. This is one more reason why I think MS has lost control of MS Office in the sense that they do not have the ski
Re:Question is, why can they not secure them? (Score:4, Insightful)
Either sandbox the whole thing
Did you just write: "break macros everywhere" without realising it? The whole power of macros is that they have incredible access outside of the scope of the system they are running. I myself have many thanks to my employer a shitton of excel and word files which contain macros that generate powerpoint slides and write them to various places. I've seen organisations use macros to read and write data from remote servers.
The whole reason MS is so delicate with the situation is they know that macros are used well beyond the scope of the document or even application they are used in.
You're right, MS cannot do anything like this, it would break too many user applications.
Re: (Score:2)
Well, it is no surprise to see that you are one of the stupid morons that are at the root of this problem.
Re: Question is, why can they not secure them? (Score:1)
Re: (Score:2)
God damn you are stupid.
Re: (Score:2)
I've never written a macro you stupid cunt. Do you not know what the words "thanks to my employer" means? Can you multitask? If so lean to read while you go fuck yourself.
Power users power tripping. (Score:2)
Powerful macros that aren't sandboxed are a malfeature. Users who think this is cool and nifty are part of the problem.
Sorry, but someone had to say it.
Default today... (Score:2)
..."That functionality is no longer available. Deal with it" tomorrow.