Microsoft once again blocks malicious macros in Office

New

Microsoft again blocks malicious macros in Office

Microsoft said this week that it is once again returning to blocking Visual Basic Application (VBA) macros in Office.

This marks a return to a previous decision after the company initially rolled back its harmful macro blocking policy earlier this month. Although Microsoft gave no indication of why the initial macro blocking policy rule was quickly rolled back, it reversed its decision to finalize the policy in a blog post.

“VBA macros are a common way for malicious actors to gain access to malware and ransomware deployment. Therefore, to help improve security in Office, we are changing the default behavior of Office applications to block macros in files from the Internet.”

Microsoft initially announced VBA macro blocking in February in Access, Excel, PowerPoint, Visio, and Word. The company made the change in an April update, and then earlier this month users started noticing that default macro blocking was no longer enabled. Microsoft then quickly responded with the following statement:

Based on user feedback, we’ve temporarily reverted this change while we make a few more changes to improve usability. This is a temporary change, and we are fully committed to making the change default for all users.

The return of the policy this week will now block potentially dangerous macros and display a security risk warning. Here is how Microsoft will determine what may be a harmful macro:

[Click on image for larger view.] Figure 1. How Office determines whether to run macros in a file from the Internet.

Microsoft said some may encounter a false security risk indicator if a file on an organization’s intranet is identified as untrusted. In these situations, Microsoft recommends that IT designate internal locations and networks as trusted sites or a local intranet zone.

Currently, those with Office Version 2203 (rolling out in April) and Office 365 Version 2206 (released in June) will have macros blocked by default. Microsoft said a decision on rolling out the policy to the Monthly Enterprise, Semi-Annual Enterprise, and Semi-Annual Enterprise (Preview) channels has yet to be determined.

Comments are closed.