Office documents with malicious macros are still one of the main entry points for ransomware. That’s why Microsoft announced in February that they wanted to block the execution of macros for files from the Internet by default. Now the protective measure “based on feedback” is withdrawn again. Tests by heise Security show that it never really worked.
Actually, the new protection function should have been rolled out since May; According to the official MS Office support document, macros from the Internet are blocked in Office by default. On July 7th, it was even said that the new behavior had been active since version 2205. In our tests with versions 2205 and 2206, however, the usual yellow warning message appeared, which careless users simply click away and thus infect their computer. Microsoft did not respond to our inquiries about these contradictions.
A user can simply click away the yellow warnings and thus infect his computer with malware.
The content of the support page changed overnight. There is now the simple note: “Based on feedback, we are returning this change from the current channel” – with the consolation that you will make another attempt at an (unspecified) later date. Microsoft doesn’t explain exactly what the problem was. We still have not received an answer to our inquiries about the contradictions.
Security experts praised the defusing of the threat through macros as a step that was long overdue. The fact that Microsoft is now taking it back and migrating back to the known unsafe behavior is very problematic from a security point of view. The annual damage caused by ransomware reaches billions in Germany alone and a considerable part of it is due to the dangerous behavior of MS Office.
But this process also casts a very unfavorable light on Microsoft’s update strategy, which once again proves to be unreliable. It all looks as if Microsoft only rolled out this function very half-heartedly and then pulled it back again due to protests from some customers, but without communicating this. This is generally not a professional approach; with safeguards that customers rely on, it’s actually unforgivable. Microsoft appears to be in a position where the company believes it can do anything.
If you want to test how your own Office behaves, you can have heise Security’s Emailcheck send you a harmless Doc file with a macro. Optionally, you can also get a ZIP archive there, each with a normal file and a Doc file with a test macro. Note: It may take a few minutes for the emails to be sent. If nothing has arrived after 10 minutes, the e-mail may have been sorted out by a virus filter as “potentially malicious”. This is a sensible precautionary measure, especially in companies that cannot switch to alternatives such as LibreOffice.