Microsoft wants to make changes to the security settings in Office, in which macro code from the Internet should now be switched off by default. Sophos is investigating this announcement.
Good news at last: Microsoft announced a change to the security settings in Office, which will now turn off macro code from the Internet by default.
Historically, this step is (long) overdue. In fact, macro viruses were already a problem before Office applications were merged into a suite of tools using a common macro coding language called VBA (Visual Basic for Applications). But what does this move from Redmond really mean and what does it mean for users from a security perspective?
An (excessively) long history
For example, even before 1997, Microsoft Word had its own scripting language called WordBasic (incompatible with the later VBA), which was widely misused by malware actors to program self-loading computer viruses. Later, when the standardized and more powerful scripting language was used in connection with Office, the cybercriminals fell on it like the devil on a poor soul.
From the software vendor’s point of view, the scripts were a well-intentioned approach because if an Office document contained an embedded macro whose name matched one of the Office menu options, that macro would be triggered automatically when someone clicked the corresponding menu item. This allowed organizations to easily customize the behavior of their Office applications to suit their own workflows, which was hugely convenient. In terms of security, however, macros are a not inconsiderable problem. For example, event-based macros, such as Auto_Open, were triggered automatically as soon as the user just “looked at” the document. A boon for a malware author who wanted to trap a document file. No special hacking or programming knowledge was required to trigger an embedded virus each time the document was accessed.
Also, an additional part of the problem was that the vast majority of users didn’t actually need the VBA at all, yet were forced to install it and enable it by default.
For years, the cybersecurity industry has pushed Microsoft to change Office’s default settings so that installation can disable VBA functionality or even not install it at all if you choose. The answer from Redmond was always “no”.
Please confirm your email address!
Click on the link in the email we just sent you. Also check your spam folder and whitelist us.
More information about the newsletter.
Ultimately, Microsoft has also embraced cybersecurity and continually made changes to the VBA ecosystem. These helped curb the “free rein” of virus writers in the late 1990s.
Examples include easier and faster detection of whether a file is document-only, which quickly differentiates between document objects that contain no macros at all and template files with macro code. However, this has not prevented macro malware in general. As useful as the feature is to not run macros until they are allowed, cybercriminals have learned to bypass this hurdle as well.
Another variant of containment should be settings in the group policies for stricter macro controls in corporate networks. This allows administrators, for example, to completely block macros in Office files that come from outside the network. This prevents users from clicking to enable the execution of macros in files received via email or downloaded from the web. However, this helpful setting is currently disabled by default.
At best, a partial victory over VBA malware
The latest announcement is therefore encouraging at first glance. However, blocking macros by default only means a small security step for Office users because:
- VBA is still fully supported and it is still possible to save documents via email or in the browser and then open them locally in a way that allows embedded macros. It is therefore to be expected that cybercriminals will find ways to circumvent this hurdle.
- these changes will not reach the older versions of Office for a few months, maybe even years. Even the current version will not include macro blocking by default until January 2023 at the earliest. Change dates for Office 2021 and earlier have not even been announced.
- Mobile and Mac users will not get this change at all.
- not all Office components are included. Apparently only Access, Excel, PowerPoint, Visio and Word will get this new setting. Although these file types cover the majority of attacks, it would be better if this macro blocking feature applied to all Microsoft products.
For a detailed report on macro codes in Microsoft Office by Sophos security specialist Paul Ducklin, click here.