Microsoft rolls back default macro blocks in Office without telling anyone
Based on 'feedback'. Which one of you asked for this, and why?
Updated Microsoft appears set to roll back its decision to adopt a default stance of preventing macros sourced from the internet from running in Office unless given explicit permission.
The software giant announced the change in February 2022 with a post that explained how macros written with Visual Basic for Applications are powerful, but offer a way for criminals to drop malicious payloads onto the desktop.
The potential for such attacks is hardly new. The infamous Melissa virus rampaged across the world's mail servers in 1999 thanks to malicious macros embedded in a Word document. Things got worse over the years, so in 2016 Microsoft upped the ante with a tool that allowed admins to define when and where macros were allowed to run. Microsoft also stopped running macros without first asking users if they really wanted to do so.
But the problem kept getting worse. So in February this year Microsoft decided to block macros by default in Access, Excel, PowerPoint, Visio, and Word, explaining that the change made Office "more secure and is expected to keep more users safe including home users and information workers in managed organizations."
Now the company appears to have reversed that decision.
A comment from a chap named Vince Hardwick noted that the default blocking of macros appeared to have been removed in the Current Channel for Office. Bleeping Computer appears to have spotted the thread before The Register.
A Microsoft staffer named Angela Robertson responded with the following:
Based on feedback received, a rollback has started. An update about the rollback is in progress. I apologize for any inconvenience of the rollback starting before the update about the change was made available.
Robertson did not discuss the feedback Microsoft has received that led to the change, but among the many comments on the original post announcing the block are complaints from users who took issue with the way macro blocking was implemented or lamented that it's effectively broken some useful systems they've built.
- Chromium's WebRTC zero-day fix arrives in Microsoft Edge
- Microsoft issues fix for Windows 11 Wi-Fi hotspots
- Microsoft readies Windows Autopatch to free admins from dealing with its fixes
Hardwick was also unimpressed.
"Rolling back a recently implemented change in default behaviour without at least announcing the rollback is about to happen is very poor product management," he wrote.
"We've been scrambling to obtain a digital certificate for signing our VBA projects since I first became aware of the impending update in mid-June … then immediately after we've incurred that expense and got things working again in the least inconvenient way for our customers, Microsoft just flip a switch without telling anybody? You've got us jumping from one foot to the next and having to second guess what the next volte face is going to be."
The Register has asked Microsoft to confirm the reversal of the default macro block, and to explain why it did not announce it publicly. We'll update this story if we receive a substantive response. ®
Updated to add at 2300 UTC
A spokesperson for Microsoft has been in touch to share this snippet of detail:
Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability. This is a temporary change, and we are fully committed to making the default change for all users.
Regardless of the default setting, customers can block internet macros through the Group Policy settings described in this article. We will provide additional details on timeline in the upcoming weeks.
As stated, this is apparently a temporary U-turn.
- Active Directory
- Advanced persistent threat
- Black Hat
- Bug Bounty
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Exchange Server
- Identity Theft
- Internet Explorer
- Kenna Security
- Microsoft 365
- Microsoft Build
- Microsoft Edge
- Microsoft Office
- Microsoft Surface
- Microsoft Teams
- Palo Alto Networks
- Patch Tuesday
- Remote Access Trojan
- RNA Virus
- RSA Conference
- SQL Server
- Trusted Platform Module
- Visual Studio
- Visual Studio Code
- Windows 10
- Windows 11
- Windows 7
- Windows 8
- Windows Server
- Windows Server 2003
- Windows Server 2008
- Windows Server 2012
- Windows Server 2013
- Windows Server 2016
- Windows XP
- Xbox 360
- Zero trust