Microsoft makes a major reversal, allows Office to run unreliable macros
Microsoft makes a major reversal, allows Office to run unreliable macros
Expand
Getty Images
Microsoft surprised key players in the security community by quietly reversing course and allowing untrusted macros to open by default in Word and other Office applications.< /p>
In February, the software maker announced a major change it said it had adopted to combat the growing scourge of ransomware and other malware attacks. In the future, macros downloaded from the Internet would be completely disabled by default. Whereas previously Office provided warning banners that could be dismissed with a single click, the new warnings would provide no way to enable macros.
"We will continue to adjust our user experience for macros, as we have done here, to make it harder to trick users into running malicious code via social engineering while maintaining a path for legitimate macros to be enabled where appropriate through Trusted Publishers and/or Trusted Locations,” Microsoft Office Program Manager Tristan Davis wrote, explaining the reason for the move.
Security professionals, some of whom have spent the past two decades watching customers and employees infected with ransomware, windshield wipers, and espionage with frustrating regularity, applauded the change.
>
"Very poor product management"
Now, citing undisclosed "comments", Microsoft has quietly backtracked. In comments like this one posted Wednesday to the February announcement, various Microsoft employees wrote, “Based on the feedback, we are reverting this change to Current Channel production. We appreciate the feedback we've received so far and are working to improve this experience."
The terse admission came in response to user feedback asking why the new banners no longer looked the same. Microsoft employees did not respond to questions from forum users asking what comments caused the reversal or why Microsoft did not communicate it before rolling out the change.
"Looks like something overridden this new default behavior very recently," wrote a user named vincehardwick. "Maybe Microsoft Defender is overriding blocking?"
After learning that Microsoft had reversed the block, vincehardwick reprimanded the company. "Undoing a recently implemented change in default behavior without at least announcing that the rollback is about to happen is very bad product stewardship," the user wrote. "I appreciate your apologies, but it really shouldn't have been necessary in the first place, it's not like Microsoft was new to this."
On social media, security professionals lamented the reversal. This tweet, from the head of Google's Threat Analysis Group, which investigates state-sponsored hacking, was typical.
“Sad decision,” wrote Google employee Shane Huntley. "Blocking Office macros would do infinitely more to defend against real world threats than all the threat blog posts."
Sad decision. Office macro blocking would do infinitely more to defend against real threats than all the threat blog posts.
I still see that our primary mission in threat intelligence is to drive change to protect people. https://t.co/JFMeyzefov
— Shane Huntley (@ShaneHuntley) July 8, 2022
However, not all experienced defenders are critical of this decision. Jake Williams, a former NSA hacker who is now executive director of cyber threat intelligence at security firm SCYTHE, said the change was necessary because the previous timeline was too aggressive in the timeline for rolling out a change. also major.
Microsoft surprised key players in the security community by quietly reversing course and allowing untrusted macros to open by default in Word and other Office applications.< /p>
In February, the software maker announced a major change it said it had adopted to combat the growing scourge of ransomware and other malware attacks. In the future, macros downloaded from the Internet would be completely disabled by default. Whereas previously Office provided warning banners that could be dismissed with a single click, the new warnings would provide no way to enable macros.
"We will continue to adjust our user experience for macros, as we have done here, to make it harder to trick users into running malicious code via social engineering while maintaining a path for legitimate macros to be enabled where appropriate through Trusted Publishers and/or Trusted Locations,” Microsoft Office Program Manager Tristan Davis wrote, explaining the reason for the move.
Security professionals, some of whom have spent the past two decades watching customers and employees infected with ransomware, windshield wipers, and espionage with frustrating regularity, applauded the change.
>
"Very poor product management"
Now, citing undisclosed "comments", Microsoft has quietly backtracked. In comments like this one posted Wednesday to the February announcement, various Microsoft employees wrote, “Based on the feedback, we are reverting this change to Current Channel production. We appreciate the feedback we've received so far and are working to improve this experience."
The terse admission came in response to user feedback asking why the new banners no longer looked the same. Microsoft employees did not respond to questions from forum users asking what comments caused the reversal or why Microsoft did not communicate it before rolling out the change.
"Looks like something overridden this new default behavior very recently," wrote a user named vincehardwick. "Maybe Microsoft Defender is overriding blocking?"
After learning that Microsoft had reversed the block, vincehardwick reprimanded the company. "Undoing a recently implemented change in default behavior without at least announcing that the rollback is about to happen is very bad product stewardship," the user wrote. "I appreciate your apologies, but it really shouldn't have been necessary in the first place, it's not like Microsoft was new to this."
On social media, security professionals lamented the reversal. This tweet, from the head of Google's Threat Analysis Group, which investigates state-sponsored hacking, was typical.
“Sad decision,” wrote Google employee Shane Huntley. "Blocking Office macros would do infinitely more to defend against real world threats than all the threat blog posts."
Sad decision. Office macro blocking would do infinitely more to defend against real threats than all the threat blog posts.
I still see that our primary mission in threat intelligence is to drive change to protect people. https://t.co/JFMeyzefov
— Shane Huntley (@ShaneHuntley) July 8, 2022
However, not all experienced defenders are critical of this decision. Jake Williams, a former NSA hacker who is now executive director of cyber threat intelligence at security firm SCYTHE, said the change was necessary because the previous timeline was too aggressive in the timeline for rolling out a change. also major.
Expand
Getty Images
