Microsoft appears to be rolling back Office Macro blocking

Microsoft appears to be rolling back Office Macro blocking

We’re seeing several reports indicating that Microsoft may have rolled back its decision to block Macros in Office. Currently no official statement exists—the reports rely on a post by a Microsoft employee in the replies of the original article where the plan to block macros was announced.

Earlier this year, Microsoft decided to disable macros downloaded from the Internet in five Office apps, by default. Users trying to open files downloaded from the Internet that contained macros would see a message, with a link to an article explaining the block.

SECURITY RISK: Microsoft has blocked macros from running because the source of this file is untrusted

Malicious macros have been popular with criminals for more than three decades, and the step was welcomed by the security community. However, some users of Microsoft products have queried a surprising change. Dangerous files downloaded from the internet are not being treated as expected in Office.

The shifting sands of macro blocking

Bizarrely, we’ve only experienced a few months of no macro worries as people discover the currently changing situation. A recent comment on the article describing the block mentioned that macro blocking has now been removed in Office Current Channel:

Is it just me or have Microsoft rolled this change back on the Current Channel?

I was trying to reproduce the pinkish-red ‘Security Risk… Learn More’ notification in the Message Bar, in preparation for demonstrating the new default behaviour for a YouTube video I’m putting together about my company’s macro-enabled toolkit.

Created a simple .xlsm to show a MsgBox in the open event of the workbook, saved it and uploaded it to cloud storage, deleted it from my local storage, re-downloaded it from cloud storage (to a non-trusted location, my Downloads library)… did not use the Unblock checkbox on the Properties dialog to remove the mark of the web… then opened up the file.

It first went into Protected View (expected behaviour), but then after I clicked Enable Editing, instead of getting the pink/red message about macros being blocked altogether, I just got the old ‘Security warning…’ message with the ‘Enable Content’ button. The file’s VBA project wasn’t digitally signed, wasn’t saved to a Trusted Location, and still had the mark of the web on it… so macros should have been blocked.

A response came from someone called Angela Robertson, billed as “A Microsoft employee on the Microsoft Tech Community”:

Based on feedback received, a rollback has started. An update about the rollback is in progress. I apologize for any inconvenience of the rollback starting before the update about the change was made available.

Waiting for more information

At the time of writing, we can’t say what this community feedback is or why it’s been so influential in triggering the apparent decision to disable macro blocking. The response in security circles is somewhat less than enthusiastic, and there’s no new information outside of waiting to see what’s contained in the promised “update”.

Indeed, all we have currently is a second Microsoft post which confirms the rollback:

…based on feedback, we’re rolling back this change from Current Channel production. We appreciate the feedback we’ve received so far, and we’re working to make improvements in this experience. We’ll provide another update when we’re ready to release again to Current Channel. Thank you.

We will update this article as soon as Microsoft clarifies what exactly is going on.

Update: 07/12/22: Microsoft have added additional context to this change, and it looks as though the removal of automatic blocking is only temporary. From Kellie Eickmeyer, principal product manager at Microsoft:

Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability. This is a temporary change, and we are fully committed to making the default change for all users.

Update 07/22/22: It’s been confirmed that Microsoft has now reverted back to blocking VBA Macros, after a temporary pause. There’s still surprisingly little information as to why any of this happened in the first place. However, the “Helping users stay safe: blocking internet macros by default in Office” page was updated on July 20 with the following information:

We’re resuming the rollout of this change in Current Channel. Based on our review of customer feedback, we’ve made updates to both our end user and our IT admin documentation to make clearer what options you have for different scenarios. For example, what to do if you have files on SharePoint or files on a network share. Please refer to the following documentation:

•            For end users,A potentially dangerous macro has been blocked

•            For IT admins,Macros from the internet will be blocked by default in Office

If you ever enabled or disabled the Block macros from running in Office files from the Internet policy, your organization will not be affected by this change.

As reported by Bleeping Computer, many users of Microsoft products have found these changes very confusing. Hopefully any changes of a security nature such as this will be communicated more clearly in future.

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.