Blocks for Flash and others coming to Office 365

Blocks for Flash and others coming to Office 365

If you’re a user of Microsoft Office products such as Word and Excel, you’re probably aware that they’ve been used as inroads for malware for a long, long time. But what about malware attacks without Macros? Sure. Macro malware for Macs? That, too. Malicious documents and spying tools? Danger, Will Robinson.

We have some good news and some bad news.

The good news is that monthly subscribers of Office 365 are getting some new protection in the fight against bogus attachments and malicious files; the bad news is the changes don’t currently apply to standalone versions of Office.

What’s being changed?

Silverlight, Flash, and Shockwave are all getting the chop. If you used to run a malware campaign based around use of these controls, that won’t be the case for much longer. A combination of seeing these features used in rogue campaigns, generally low legitimate use by product users (when was the last time you embedded Shockwave?), and a rapidly approaching end of the line for both Flash and Silverlight means it made a lot of sense for Microsoft to bring the hammer down.

As the Microsoft blog notes, this alteration makes no difference in situations where the control is activated outside of Office—for example, placing a Flash video into some content using the insert online video feature. Still, this is better than what’s gone before. Hopefully, Microsoft will add more protection for people not using the specified version.

Speaking of which…

Help, I’m not using the correct version!

Microsoft has you covered even if you’re not a monthly subscriber of Office 365, though you’ll have to do a bit of the shovel work yourself to shore up your defences. Roll up your sleeves, set aside a bit of spare time, and delve into this help article, which provides step-by-step instructions to lock things down. Some caveats here:

  1. You’ll have to do a spot of registry editing.
  2. Editing the registry and getting it wrong can cause all sorts of problems. Ensure you’ve made a backup before touching it. Better safe than sorry!

What kind of danger are we talking?

Things like rogue embedded Flash aren’t just theoretical. It’s something we see a lot of. For example, here’s an exploit making use of rogue Excel documents targeting South Koreans via Flash.

Here’s the booby-trapped Excel sheet in action, complete with hidden ActiveX object highlighted in white:


Click to enlarge

From here, it pings one of several websites with a unique identifier, the Flash version on board, and the Operating System version. If the stars align, then it’s exploit time with a side slice of Remote Administration Tool to boot.

This is a pretty sophisticated attack, but there’s plenty more out there that are as basic as they come. Either way, they get the results they need to infect an organisation.

Sounds nasty. When does the block go live?

Microsoft has said that the block rolls into place for Office 365 monthly users next month, with people using the Semi-Annual Targeted Channel and the Semi-Annual Channel receiving theirs in September 2018 and January 2019, respectively.

Of course, you can roll the blocks back yourself if you really want to (is that going to be a thing?) by following these instructions. Warning: once again, this involves some registry editing, so please make sure you’re comfortable before altering anything. Of course, if you have a monthly 365 package, it’s quite possible you’ll have an IT team performing said edits for your organisation anyway.

What else can we do to lock down Office files?

Quite a few things, actually. In more general attacks, scammers will try and convince potential victims to give Windows Admin permissions to rogue files; when that happens, it’s infection time. By the same token, they’ll try everything to convince someone to click through a bunch of “Enable Macro” prompts in an Office file. If you don’t need Macros, you should consider disabling them as soon as possible.

You can also apply a little elbow grease, and think long and hard before opening up an attachment sent your way. If you want to play it safe, always check with the sender before opening up a Word or Excel document. Don’t just stop at email confirmation; if the account has been compromised, then of course you’re going to receive a reply that says, “The attachment is definitely safe, honest.” Pick up the phone if need be. A little caution never hurt anyone, right?

For now, familiarise yourself with the upcoming changes, and have a think about whether or not you still need some of the controls penciled in for blocking. We’ll be keeping an eye out for the response to the changes, as demand for applying similar controls for other versions of Office is likely to be high. Fingers crossed, Microsoft will take heed and widen the rollout.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.