Microsoft makes major course reversal, allows Office to run untrusted macros

    Microsoft makes major course reversal, allows Office to run untrusted macros

    Getty Images

    Microsoft has stunned core parts of the security community with a decision to quietly reverse course and allow untrusted macros to be opened by default in Word and other Office applications.

    In February, the software maker announced a major change it said it enacted to combat the growing scourge of ransomware and other malware attacks. Going forward, macros downloaded from the Internet would be disabled entirely by default. Whereas previously, Office provided alert banners that could be disregarded with the click of a button, the new warnings would provide no such way to enable the macros.

    “We will continue to adjust our user experience for macros, as we’ve done here, to make it more difficult to trick users into running malicious code via social engineering while maintaining a path for legitimate macros to be enabled where appropriate via Trusted Publishers and/or Trusted Locations,” Microsoft Office Program Manager Tristan Davis wrote in explaining the reason for the move.

    Security professionals—some who have spent the past two decades watching clients and employees get infected with ransomware, wipers, and espionage with frustrating regularity—cheered the change.

    ‘Very poor product management’

    Now, citing undisclosed “feedback,” Microsoft has quietly reversed course. In comments like this one posted on Wednesday to the February announcement, various Microsoft employees wrote: “based on feedback, we’re rolling back this change from Current Channel production. We appreciate the feedback we’ve received so far, and we’re working to make improvements in this experience.”

    The terse admission came in response to user comments asking why the new banners were no longer looking the same. The Microsoft employees didn’t respond to forum users’ questions asking what the feedback was that caused the reversal or why Microsoft hadn’t communicated it prior to rolling out the change.

    “It feels like something has undone this new default behavior very recently,” a user named vincehardwick wrote. “Maybe Microsoft Defender is overruling the block?”

    After learning Microsoft rolled back the block, vincehardwick admonished the company. “Rolling back a recently implemented change in default behavior without at least announcing the rollback is about to happen is very poor product management,” the user wrote. “I appreciate your apology, but it really should not have been necessary in the first place, it’s not like Microsoft are new to this.”

    On social media, security professionals lamented the reversal. This tweet, from the head of Google’s threat analysis group, which investigates nation-state-sponsored hacking, was typical.

    “Sad decision,” Google employee Shane Huntley wrote. “Blocking Office macros would do infinitely more to actually defend against real threats than all the threat intel blog posts.”

    Not all experienced defenders, however, are criticizing the move. Jake Williams, a former NSA hacker who is now executive director of cyber threat intelligence at security firm SCYTHE, said the change was necessary because the previous schedule was too aggressive in the deadline for rolling out such a major change.

    “While this isn’t the best for security, it’s exactly what many of Microsoft’s largest customers need,” Williams told Ars. “The decision to cut off macros by default will impact thousands (more?) of business-critical workflows. More time is needed to sunset.”

    Microsoft PR has provided no comment on the change in the almost 24 hours that have passed since it first surfaced. A representative told me she is checking on the status.

    Recent Products

    NYC pain management doctor allegedly assaulted woman

    A Manhattan pain management doctor was the one inflicting the suffering when he allegedly assaulted a woman and tossed her cellphone out a 30th...

    Arknights: Azure’s Module Upgrade Tier List | Arknights Wiki

    The Module Upgrade system is a new mechanic that will be introduced during the Lingering Echoes event that allows players to upgrade any available Module they already have...

    Intel Core i9-13900K Scores Top Spot As The Fastest Single-Threaded CPU In PassMark Benchmark

    Intel's upcoming Core i9-13900K Raptor Lake flagship CPU has become the fastest single-threaded chip within the PassMark benchmark ranking. The Intel Raptor Lake Core i9-13900K...

    Rust-Written Apple DRM Linux Kernel Driver Renders First Cube

    The very early stage Direct Rendering Manager (DRM) driver being written in the Rust programming language to support the Apple M1/M2 graphics processor achieved...

    Related Products

    Leave A Reply

    Please enter your comment!
    Please enter your name here

    Stay on op - Ge the daily news in your inbox