Microsoft will disable Office VBA macros by default to block malware
In so many ways macros have made life easier for Office users, helping to automated and speed up a variety of tasks. But they also pose a gigantic security threat, particularly in documents downloaded from the internet.
Now Microsoft is taking action, and will block internet macros by default in Office. The reason for the move is the widespread exploitation of VBA macros by bad actors to spread malware.
- Microsoft releases Windows Terminal Preview 1.13 with updated Settings UI and profile auto-elevation option
- KB5008353 update for Windows 11 may improve performance and fix drive problems
- Leak: an upcoming Windows 11 update will tell you how eco-friendly your computer is
While the problem of macros representing a security risk is far from a new one, Microsoft says that the recent increase in the numbers of people working remotely and the general reliance on the cloud means that the situation is more serious than ever.
Microsoft's Kellie Eickmeyer explains the issue:
For years Microsoft Office has shipped powerful automation capabilities called active content, the most common kind are macros. While we provided a notification bar to warn users about these macros, users could still decide to enable the macros by clicking a button. Bad actors send macros in Office files to end users who unknowingly enable them, malicious payloads are delivered, and the impact can be severe including malware, compromised identity, data loss, and remote access.
In a significant change that will help to boost security, Microsoft says that VBA macros obtained from the internet will now be blocked by default. The company says:
For macros in files obtained from the internet, users will no longer be able to enable content with a click of a button. A message bar will appear for users notifying them with a button to learn more. The default is more secure and is expected to keep more users safe including home users and information workers in managed organizations.
In a blog post introducing the news, the company says that:
This change only affects Office on devices running Windows and only affects the following applications: Access, Excel, PowerPoint, Visio, and Word. The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022. Later, the change will be available in the other update channels, such as Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel.
The news has been well-received by the security community. Callum Roxan, Head of Threat Intelligence at security firm F-Secure says: "Any move towards security as a default, and not an option, is a real positive change. Complexity is a serious barrier to security and this change will help many organizations protect themselves. Threat actors will adapt, but macros have been a prevalent threat for a long time and this change will raise the cost and complexity for attackers".
Senior Incident Response Consultant at the company, John Rogers, adds:
This is a long-awaited change by the cyber security industry which is expected to greatly reduce the chances of harmful malware being delivered via phishing emails. However, it won't completely remove the threat. This change should not impact the small number of users who are required to run macros as a legitimate business function as it will only change the default behavior, which admins can change on a case-by-case basis. It's great to see a secure by design approach which would protect the majority of users as opposed to leaving security up to the untrained user.
Microsoft goes on to explain that it also plans to make this change to Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013, but does not say when this will happen.