There’s been a bit of back and forth since the change was originally announcedBut this week Microsoft began rolling out an update to Microsoft Office that blocks the use of Visual Basic for Applications (VBA) macros in downloaded documents.
Last month, Microsoft was testing the new default settings when it suddenly rolled back the update, “temporarily while we make some additional changes to improve usability.” Despite saying it was temporary, many experts are concerned that Microsoft may not be able to change the default settings, leaving systems vulnerable to attack. Shane Huntley, Google Threat Analysis Group Leader tweeted“Blocking Office macros would do infinitely more to defend against real threats than all the threat intelligence blog posts.”
The new default settings are now rolling out, but with updated language to alert users and administrators about the options they have when they try to open a file and it’s locked. This only applies if Windows, using the NTFS file system, sees it as downloaded from the Internet and not a network drive or site that administrators have marked as safe, and it doesn’t change anything on other platforms like Mac, Office on Android/ iOS or Office on the web.
We are resuming the implementation of this change in the current channel. Based on our review of customer feedback, we have made updates to both the end user and IT administrator documentation to clarify what options you have for different scenarios. For example, what to do if you have files in SharePoint or files on a network share. Please consult the following documentation:
• For end users, A potentially dangerous macro has been blocked
• For IT administrators, macros of the inorthInternet will be blocked by default in Office
If you have ever enabled or disabled Block execution of macros in Office files from the Internet policy, your organization will not be affected by this change.
While some people use the scripts to automate tasks, hackers have abused the feature with malicious macros for years, tricking people into downloading a file and running it to compromise their systems. Microsoft noted how administrators could use group policy settings in office 2016 to block macros on your organization’s systems. Still, not everyone activated it and the attacks continued, allowing hackers to steal data or distribute ransomware.
Users who try to open files and are blocked will get a popup sending them to this page, explaining why they probably don’t need to open that document. It starts by running various scenarios where someone might try to trick them into running malware. If they really need to see what’s inside the downloaded file, it goes on to explain ways to gain access, which are more complicated than the previous ones, where users could usually enable macros by pressing a button on the warning banner.
This change may not always stop someone from opening a malicious file, but it does provide several more layers of warning before they can get there while still giving access to people who say they absolutely need it.
