Microsoft Office will soon block untrusted Visual Basic for Applications (VBA) macros sourced from the internet by default – a security measure users can still circumvent, permissions allowing.
The Windows giant announced that the change will come in version 2203 of Office for Windows, due in April 2022, and applies to Access, Excel, PowerPoint, Visio, and Word. The change will come to Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013 at a date to be determined.
Microsoft’s rationale for the change is that criminals use macros to target users, and that Office’s current defense strategy is somewhat lacking.
It’s important to note that, plus or minus some caveats, users will still be able to override Microsoft’s ban, because when they open a document containing an untrusted macro from the internet, they’ll see the message below explaining why it won’t run:
Microsoft’s macro missive
Note the presence of that “Learn More” button, dear readers. It opens a document Microsoft has penned for folks to explain its macro rules. That document also explains how to save the blocked macro to a local drive and change its permissions to allow it to run and circumvent the block.
Another important point to note, though, is that IT admins can use an Office cloud policy or an ADMX or group policy to prevent users from overriding the above warning and just stop the unsafe content dead. Microsoft’s advice for Office admins states that users should only side-step the block “if absolutely needed.”
Redmond’s announcement quotes Tristan Davis, Microsoft’s partner group program manager for the Office Platform, saying: “We will continue to adjust our user experience for macros, as we’ve done here, to make it more difficult to trick users into running malicious code via social engineering while maintaining a path for legitimate macros to be enabled where appropriate via Trusted Publishers and/or Trusted Locations.”
Those are The Register‘s italics.
Another thing to watch for is that the mechanism Microsoft is using to enforce the block won’t work if you’re using a FAT32 filesystem for some reason.
That mechanism is called Mark Of The Web (MOTW) and is derived from tech that Microsoft’s abandoned Internet Explorer web browser used to classify the source of a document so it could apply appropriate levels of security. MOTW works by adding an attribute to files as they arrive on a device – but as Microsoft’s announcement of the macro ban explains, that attribute only sticks on files saved to a NTFS file system. Files on FAT32 formatted devices don’t get MOTW info.
For those of you using NTFS and cloudy controls for Office management, here’s how the macro-filtering process works:
Click to enlarge
Macros have been a well-known menace ever since the ILOVEYOU worm erupted onto millions of PCs in May 2000. Redmond’s minions have tried to make life harder for authors of malicious macros ever since, though those efforts appear not to have deterred macro-centric malware authors. Tom Gallagher, partner group engineering manager for Office Security, admits that “a wide range of threat actors continue to target our customers by sending documents and luring them into enabling malicious macro code.”
Those miscreants may now find it harder to succeed, though they’ve also been given a strong signal that now is the time to figure out how to game MOTW. They also know that come April 2022 they should ignore the population of users that run the one version of Office that will ban macros, and that it may be worth developing new social engineering tactics for that group of users. ®