Microsoft to block downloaded VBA macros in Office – you may be able to run 'em anyway

Aims to make life harder for miscreants


Microsoft Office will soon block untrusted Visual Basic for Applications (VBA) macros sourced from the internet by default – a security measure users can still circumvent, permissions allowing.

The Windows giant announced that the change will come in version 2203 of Office for Windows, due in April 2022, and applies to Access, Excel, PowerPoint, Visio, and Word. The change will come to Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013 at a date to be determined.

Microsoft's rationale for the change is that criminals use macros to target users, and that Office's current defense strategy is somewhat lacking.

It's important to note that, plus or minus some caveats, users will still be able to override Microsoft’s ban, because when they open a document containing an untrusted macro from the internet, they'll see the message below explaining why it won't run:

Microsoft macro ban warning

Microsoft’s macro missive

Note the presence of that "Learn More" button, dear readers. It opens a document Microsoft has penned for folks to explain its macro rules. That document also explains how to save the blocked macro to a local drive and change its permissions to allow it to run and circumvent the block.

Another important point to note, though, is that IT admins can use an Office cloud policy or an ADMX or group policy to prevent users from overriding the above warning and just stop the unsafe content dead. Microsoft's advice for Office admins states that users should only side-step the block "if absolutely needed."

Redmond's announcement quotes Tristan Davis, Microsoft's partner group program manager for the Office Platform, saying: "We will continue to adjust our user experience for macros, as we've done here, to make it more difficult to trick users into running malicious code via social engineering while maintaining a path for legitimate macros to be enabled where appropriate via Trusted Publishers and/or Trusted Locations."

Those are The Register's italics.

Another thing to watch for is that the mechanism Microsoft is using to enforce the block won't work if you're using a FAT32 filesystem for some reason.

That mechanism is called Mark Of The Web (MOTW) and is derived from tech that Microsoft's abandoned Internet Explorer web browser used to classify the source of a document so it could apply appropriate levels of security. MOTW works by adding an attribute to files as they arrive on a device – but as Microsoft's announcement of the macro ban explains, that attribute only sticks on files saved to a NTFS file system. Files on FAT32 formatted devices don't get MOTW info.

For those of you using NTFS and cloudy controls for Office management, here's how the macro-filtering process works:

Microsoft macro security assessment flowchart

Click to enlarge

Macros have been a well-known menace ever since the ILOVEYOU worm erupted onto millions of PCs in May 2000. Redmond's minions have tried to make life harder for authors of malicious macros ever since, though those efforts appear not to have deterred macro-centric malware authors. Tom Gallagher, partner group engineering manager for Office Security, admits that "a wide range of threat actors continue to target our customers by sending documents and luring them into enabling malicious macro code."

Those miscreants may now find it harder to succeed, though they've also been given a strong signal that now is the time to figure out how to game MOTW. They also know that come April 2022 they should ignore the population of users that run the one version of Office that will ban macros, and that it may be worth developing new social engineering tactics for that group of users. ®


Other stories you might like

  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading
  • FabricScape: Microsoft warns of vuln in Service Fabric
    Not trying to spin this as a Linux security hole, surely?

    Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

    The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

    Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

    Continue reading
  • Microsoft postpones shift to New Commerce Experience subscriptions
    The whiff of rebellion among Cloud Solution Providers is getting stronger

    Microsoft has indefinitely postponed the date on which its Cloud Solution Providers (CSPs) will be required to sell software and services licences on new terms.

    Those new terms are delivered under the banner of the New Commerce Experience (NCE). NCE is intended to make perpetual licences a thing of the past and prioritizes fixed-term subscriptions to cloudy products. Paying month-to-month is more expensive than signing up for longer-term deals under NCE, which also packs substantial price rises for many Microsoft products.

    Channel-centric analyst firm Canalys unsurprisingly rates NCE as better for Microsoft than for customers or partners.

    Continue reading
  • Wi-Fi hotspots and Windows on Arm broken by Microsoft's latest patches
    Only way to resolve is a rollback – but update included security fixes

    Updated Microsoft's latest set of Windows patches are causing problems for users.

    Windows 10 and 11 are affected, with both experiencing similar issues (although the latter seems to be suffering a little more).

    KB5014697, released on June 14 for Windows 11, addresses a number of issues, but the known issues list has also been growing. Some .NET Framework 3.5 apps might fail to open (if using Windows Communication Foundation or Windows Workflow component) and the Wi-Fi hotspot features appears broken.

    Continue reading

Biting the hand that feeds IT © 1998–2022