Microsoft Makes Major Reversal, Allows Office to Run Untrusted Macros [Updated]
Microsoft Makes Major Reversal, Allows Office to Run Untrusted Macros [Updated]
Expand
Getty Images
Microsoft surprised key players in the security community by quietly reversing course and allowing untrusted macros to open by default in Word and other Office applications. (Update July 11: The company later clarified the move was temporary.)
In February, the software maker announced a major change it said it had adopted to combat the growing scourge of ransomware and other malware attacks. In the future, macros downloaded from the Internet would be completely disabled by default. Whereas previously Office provided warning banners that could be dismissed with a single click, the new warnings would provide no way to enable macros.
"We will continue to adjust our user experience for macros, as we have done here, to make it harder to trick users into running malicious code via social engineering while maintaining a path for legitimate macros to be enabled where appropriate through Trusted Publishers and/or Trusted Locations,” Microsoft Office Program Manager Tristan Davis wrote, explaining the reason for the move.
Security professionals, some of whom have spent the past two decades watching customers and employees infected with ransomware, windshield wipers, and espionage with frustrating regularity, applauded the change.
>
"Very poor product management"
Now, citing undisclosed "comments", Microsoft has quietly backtracked. In comments like this one posted Wednesday to the February announcement, various Microsoft employees wrote, “Based on the feedback, we are reverting this change to Current Channel production. We appreciate the feedback we've received so far and are working to improve this experience."
Microsoft then updated the message to say that the reversal would not be permanent. “Based on user feedback, we have temporarily rolled back this change while we make additional changes to improve usability,” the updated post reads. "This is a temporary change, and we are fully committed to making the change the default for all users."
The terse admission came in response to user feedback asking why the new banners no longer looked the same. Microsoft employees did not respond to questions from forum users asking what comments caused the reversal or why Microsoft did not communicate it before rolling out the change.
"Looks like something overridden this new default behavior very recently," wrote a user named vincehardwick. "Maybe Microsoft Defender is overriding blocking?"
After learning that Microsoft had reversed the block, vincehardwick reprimanded the company. "Undoing a recently implemented change in default behavior without at least announcing that the rollback is about to happen is very bad product stewardship," the user wrote. "I appreciate your apology, but it really shouldn't have been necessary in the first place, it's not like Microsoft was new to this."
On social media, security professionals lamented the reversal. This tweet, from the head of Google's Threat Analysis Group, which investigates state-sponsored hacking, was typical.
“Sad decision,” wrote Google employee Shane Huntley. "Blocking Office macros would do infinitely more to defend against real threats than all the threat blog posts."
Sad decision. Blocking Office Macros would do infinitely more to defend against real threats than all the Threat Blog posts.
I still see that our primary mission in threat intelligence is to drive change to protect people. https://t.co/JFMeyzefov
Microsoft surprised key players in the security community by quietly reversing course and allowing untrusted macros to open by default in Word and other Office applications. (Update July 11: The company later clarified the move was temporary.)
In February, the software maker announced a major change it said it had adopted to combat the growing scourge of ransomware and other malware attacks. In the future, macros downloaded from the Internet would be completely disabled by default. Whereas previously Office provided warning banners that could be dismissed with a single click, the new warnings would provide no way to enable macros.
"We will continue to adjust our user experience for macros, as we have done here, to make it harder to trick users into running malicious code via social engineering while maintaining a path for legitimate macros to be enabled where appropriate through Trusted Publishers and/or Trusted Locations,” Microsoft Office Program Manager Tristan Davis wrote, explaining the reason for the move.
Security professionals, some of whom have spent the past two decades watching customers and employees infected with ransomware, windshield wipers, and espionage with frustrating regularity, applauded the change.
>
"Very poor product management"
Now, citing undisclosed "comments", Microsoft has quietly backtracked. In comments like this one posted Wednesday to the February announcement, various Microsoft employees wrote, “Based on the feedback, we are reverting this change to Current Channel production. We appreciate the feedback we've received so far and are working to improve this experience."
Microsoft then updated the message to say that the reversal would not be permanent. “Based on user feedback, we have temporarily rolled back this change while we make additional changes to improve usability,” the updated post reads. "This is a temporary change, and we are fully committed to making the change the default for all users."
The terse admission came in response to user feedback asking why the new banners no longer looked the same. Microsoft employees did not respond to questions from forum users asking what comments caused the reversal or why Microsoft did not communicate it before rolling out the change.
"Looks like something overridden this new default behavior very recently," wrote a user named vincehardwick. "Maybe Microsoft Defender is overriding blocking?"
After learning that Microsoft had reversed the block, vincehardwick reprimanded the company. "Undoing a recently implemented change in default behavior without at least announcing that the rollback is about to happen is very bad product stewardship," the user wrote. "I appreciate your apology, but it really shouldn't have been necessary in the first place, it's not like Microsoft was new to this."
On social media, security professionals lamented the reversal. This tweet, from the head of Google's Threat Analysis Group, which investigates state-sponsored hacking, was typical.
“Sad decision,” wrote Google employee Shane Huntley. "Blocking Office macros would do infinitely more to defend against real threats than all the threat blog posts."
Sad decision. Blocking Office Macros would do infinitely more to defend against real threats than all the Threat Blog posts.
I still see that our primary mission in threat intelligence is to drive change to protect people. https://t.co/JFMeyzefov
![Microsoft makes course reversal, allows Office to run unapproved macros [Update]](https://cdn.arstechnica.net/wp-content/uploads/2022/07/microsoft-800x600.jpeg)
Expand
Getty Images
![Microsoft Makes Major Reversal, Allows Office to Run Untrusted Macros [Updated]](https://cdn.arstechnica.net/wp-content/uploads/2022/07/microsoft-760x380.jpeg)
