That didn’t last! Microsoft turns off the Office security it just turned on
Credit to Author: Paul Ducklin| Date: Mon, 11 Jul 2022 13:27:10 +0000
Remember 1999?
Well, the Melissa virus just called, and it’s finding life tough in 2022.
It’s demanding a return to the freewheeling days of the last millennium, when Office macro viruses didn’t face the trials and tribulations that they do today.
In the 1990s, you could insert VBA (Visual Basic for Applications) macro code into documents at will, email them to people, or ask them to download them from a website somewhere…
…and then you could just totally take over their computer!
In fact, it was even better/worse that that.
If you created a macro subroutine with a name that mirrored one of the common menu items, such as FileSave
or FilePrint
, then your code would magically and invisibly be invoked whenver the user activated that option.
Worse still, if you gave your macro a name like AutoOpen
, then it would run every time the document was opened, even if the user only wanted to look at it.
And if you installed your macros into a central repository known as the global template, your macros would automatically apply all the time.
Worst of all, perhaps, an infected document could implant macros into the global template, thus infecting the computer, and the same macros (when they detected they were running from the global template but the document you just opened was uninfected) could copy themselves back out again.
That led to regular “perfect storms” of fast-spreading and long-running macro virus outbreaks.
Macro viruses spread like crazy
Simply put, once you’d opened one infected document on your computer, every document you opened or created thereafter would (or could, at least) get infected as well, until you had nothing but infected Office files everywhere.
As you can imagine, at that point in the game, any file you sent to or shared with a colleague, customer, prospector, investor, supplier, friend, enemy, journalist, random member of the public…
…would contain a fully-functional copy of the virus, ready to do its best to infect them when they opened it, assuming they weren’t infected already.
And if that wasn’t enough on its own, Office macro malware could deliberately distribute itself, instead of waiting for you to send a copy to someone else, by reading your email address book and sending itself to some, many or all of the names in there.
If you had an address book entry that was an email group, such as Everyone
, or All Friends
, or All Global Groups
, then every time the virus emailed the group, hundreds or thousands of infectious messages would go flying across the internet to all your colleagues. Many of them would soon mail you back as the virus got hold of their computer, too, and a veritable email storm would result.
The first macro malware, which spread by means of infected Word files, appeared in late 1995 and was dubbed Concept, because at that time it was little more than a proof-of-concept.
But it was quickly obvious that malicious macros were going to be more than just a passing headache.
Microsoft was slow to come to the cybersecurity party, carefully avoiding terms such such as virus, worm, Trojan Horse and malware, resolutely referring to the Concept virus as a nothing more than a “prank macro”.
A gradual lockdown
Over the years, however, Microsoft gradually implemented a series of functional changes in Office, by variously:
- Making it easier and quicker to detect whether a file was a pure document, thus swiftly differentiating pure document files, and template files with macro code inside. In the early days of macro viruses, back when computers were much slower than today, significant and time-consuming malware-like scanning was needed on every document file just to figure out if it needed scanning for malware.
- Making it harder for template macros to copy themselves out into uninfected files. Unfortunately, although this helped to kill off self-spreading macro viruses, it didn’t prevent macro malware in general. Criminals could still create their own booby-trapped files up front and send them individually to each potential victim, just as they do today, without relying on self-replication to spread further.
- Popping up a ‘dangerous content’ warning so that macros couldn’t easily run by mistake. As useful as this feature is, because macros don’t run until you choose to allow them, crooks have learned how to defeat it. They typically add content to the document that helpfully “explains” which button to press, often providing a handy graphical arrow pointing at it, and giving a believable reason that disguises the security risk involved.
- Adding Group Policy settings for stricter macro controls on company networks. For example, administrators can block macros altogether in Office files that came from outside the network, so that users can’t click to allow macros to run in files received via email or downloaded the web, even if they want to.
At last, in February 2022, Microsoft announced, to sighs of collective relief from the cybersecurity community, that it was planning to turn on the “inhibit macros in documents that arrived from the internet” by default, for everyone, all the time.
The security option that used to require Group Policy intervention was finally adopted as a default setting.
In other words, as a business you were still free to use the power of VBA to automate your internal handling of official documents, but you wouldn’t (unless you went out of your way to permit it) be exposed to potentially unknown, untrusted and unwanted macros that weren’t from an approved, internal source.
As we reported at the time. Microsoft described the change thus:
VBA macros obtained from the internet will now be blocked by default.
For macros in files obtained from the internet, users will no longer be able to enable content with a click of a button. A message bar will appear for users notifying them with a button to learn more. The default is more secure and is expected to keep more users safe including home users and information workers in managed organizations.
We were enthusiatic, though we thought that the change was somewhat half-hearted, noting that:
We’re delighted to see this change coming, but it’s nevertheless only a small security step for Office users, because: VBA will still be fully supported, and you will still be able to save documents from email or your browser and then open them locally; the changes won’t reach older versions of Office for months, or perhaps years, [given that] change dates for Office 2021 and earlier haven’t even been announced yet; mobile and Mac users won’t be getting this change; and not all Office components are included. Apparently, only Access, Excel, PowerPoint, Visio, and Word will be getting this new setting.
Well, it turns out not only that our enthusiasm was muted, but also that it was short-lived.
Last week, Microsoft unchanged the change, and unblocked the block, stating that:
Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability. This is a temporary change, and we are fully committed to making the default change for all users.
Regardless of the default setting, customers can block internet macros through the Group Policy settings described in the article Block macros from running in Office files from the Internet.
We will provide additional details on timeline in the upcoming weeks.
What to do?
In short, it seems that sufficiently many companies not only rely on receiving and using macros from potentially risky sources, but also aren’t yet willing to change that situation by adapting their corporate workflow.
- If you were happy with this change, and want to carry on blocking macros from outside, use Group Policy to enable the setting regardless of the product defaults.
- If you weren’t happy with it, why not use this respite to think about how you can change your business workflow to reduce the need to keep transferring unsigned macros to your users?
It’s an irony that a cybersecurity change that a cynic might have described “as too little, too late” turns out, in real life, to have been “too much, too soon.”
Let’s make sure that we’re collectively ready for modest cybersecurity changes of this sort in future…