Microsoft Office will start blocking downloaded macros by default

Daniel Sims

Posts: 447   +18
Staff
Why it matters: Microsoft Office files have long been a popular vector for malware. Now Microsoft is changing Office’s default behavior in its latest attempt to make Office applications more secure. This change will apply to Office versions going back several years.

In a blog post this week, Microsoft announced that it’s adding an extra step in activating macros in Office files downloaded from the internet. Instead of being activated with a single click, Office applications will now show users a warning message they’ll have to get through first.

The change applies to Windows versions of Access, Excel, PowerPoint, Visio, and Word. The update will come to Office 365 first, starting with the version 2203 preview in April. Later on, it will come to Office LTSC and standalone Office 2021, 2019, 2016, and 2013.

Macros are automated processes that users can build into Office files. Hackers have long used them to deliver malware payloads in files sent to victims. In September, Microsoft had to close another large vulnerability in Office and other Microsoft products.

Marcos previously had a notification warning users of their risks, but the new message has a more serious tone and a button that leads to more information about risky macros. It even brings users through a checklist of questions highlighting typical social engineering behavior.

Permalink to story.

 

Dimitriid

Posts: 2,201   +4,234
There's already at least one warning unless you make a folder you use them on a trusted location, which is kind of hidden away and not easy to find on the options.

Look I wish the world was simple, people would listen and value my job as a data warehouse analyst, give up on their ridiculous requests to have a certain type of shading on their presentation graphics and switch to tableau or power bi for their reports instead of excel.

But I also know that all you are going to accomplish is a second "are you sure?" button that gets clicked by people that contact our department daily to request SSRS reports they can export to excel so they can run their macros instead of learning to use the much better tools we have now in place.
 

Eldritch

Posts: 427   +677
There's already at least one warning unless you make a folder you use them on a trusted location, which is kind of hidden away and not easy to find on the options.
Yeah, I was thinking that too 'Aren't they disabled by default already?`

Every Macro based sheet that I have ever got has given me security warnings and the fact is Excel macros aren't going away anytime soon.

Why? Because specialised departmental softwares do exist but for every niche requirement or data analysis or computation or lists there can't be specialised softwares. People won't bother learning new softwares like you mentioned when the Excel that is already installed on literally every computer in any office can get the job done after 10 second of Google search. People don't want best or most efficient, they just want something that functions with minimal effort.
 

Dimitriid

Posts: 2,201   +4,234
People don't want best or most efficient, they just want something that functions with minimal effort.

This is the root cause indeed. The sad par is that while at first just doing your sales report in excel is minimal effort then you get sales from other channels and systems, now you have to get a guy clever enough to learn excel macros and functions to wrestle the data into something half way coherent.

Then that guy gets fired or finds a better job or gets sick and what not and now the minimal effort is literally just a macro sheet that barely functions, resides only on a share drive that failed and isn't accessible anymore unless someone can dig out an email from 4 years ago in the rare case they archived it and the upper management is not really pleased at your lack of explanation for results.

That's when companies finally decide "Maybe we do need a Data Warehouse to make sure we report correct numbers from 50 different databases and terabytes upon terabytes of data since nobody knows how to get those old macros to work anyway"
 

Theinsanegamer

Posts: 3,359   +5,586
So, MS is by default blocking the only thing that gives it any value? If you dont have to use some obscure macro from a government or private source, you dont need office, as everything else works fine on google docs, libre ofiice, ece.
 

bviktor

Posts: 841   +1,260
I'm fairly certain this should've been actually fixed instead of just disabling it. No feature is inherently unsafe.I f you wanna do really complex stuff in Excel, formulae just won't cut it, you need macros.

And no, not everyone is capable of doing it in some programming language, with a database. It's a completely different level.
 

Uncle Al

Posts: 8,749   +7,664
I was a user of Office since it's original launch and used it for decades but with each "upgrade" there were less and less real new features. A few years back I changed over to Libre Office and frankly, I didn't miss Office at all. Now days I just don't pay any attention to the "new and improved" claims of MicroSludge. If they had any sense they would have developed a new and much more secure operating system that deflected all the hacking. Nope, also went to Linux as well and just don't miss all the garbage .... now nice to evolve into something that can be appreciated .....