Site icon Sophos News

At last! Office macros from the internet to be blocked by default

Yesterday, we wrote that Microsoft had decided to turn off a handy software deployment feature, even though the company described itself as “thrilled” by the feature, and described its functionality as “popular”.

#ICYMI, that was about the use of so-called App Bundles to make software available for download via your browser.

By clicking on an App Bundle link (which starts with ms-appinstaller:// instead of the more usual https://), you would kickstart an installation process that looked much more official and trustworthy than just downloading an EXE file.

Criminals learned how to abuse App Bundles in order to give the impression that their malware installers were somehow approved or vetted by Microsoft, almost as though the download had come from the Microsoft Store itself (it hadn’t).

So, for the greater good of all, Microsoft essentially told its own software to block a useful feature of its own software, until further notice, at any rate:

https://nakedsecurity.sophos.com/2022/02/07/microsoft-blocks-web-installation-of-its-own-app-installer-files/

This sort of thing doesn’t happen often, especially at Microsoft.

But no sooner had we written up the App Installer changes than we received an ever bigger – and, if we’re honest, a better – surprise…

… when Microsoft announced a change to the security settings in Office.

Macro code from the internet will at last be turned off by default!

Fin de siècle

If you’ve been in cybersecurity since the last millennium, you will certainly remember, and may still have occasional nightmares about, Microsoft Office macro viruses.

In fact, macro viruses were already a problem even before the Office apps merged into a suite of tools with a common macro coding language known as VBA, short for Visual Basic for Applications.

Before 1997, for example, Microsoft Word had its own scripting languge called WordBasic – similar to VBA, but not compatible with it – that was widely abused by malware writers for programming self-speading computer viruses.

But VBA was more powerful, more standardised, and once Office appeared, the malware writers took to it like… well, like a duck to water.

Simply put, if an Office document contained an embedded macro with a name that matched one of the Office menu options, then that macro would be triggered automatically whenever the user clicked on that menu item.

This made it easy for companies to adapt the behaviour of their Office apps to match their own workflow, which was enormously handy if you needed or wanted such a feature, for example to limit documents labelled ‘confidential’ from being printed out by mistake.

Even more dramatically, some special event-based macros, such as Auto_Open, were automatically triggered even if all you did was look at the document.

As a result, a malware writer who wanted to booby-trap a document file, getting it to run an embedded virus every single time the document was viewed, didn’t have to learn any special hacking or low-level coding skills at all.

As you probably know, the family of languages known as BASIC are meant to live up to their name. The word has even been wrangled backwards into the acronym Beginners’ All-purpose Symbolic Instruction Code, to remind you that it’s easy to learn because it was designed to be easy to learn.

Virus writing for everyone

Suddenly, anyone and everyone could be a virus writer.

Given that people typically exchanged Office documents many times a day (hundreds or thousands of times more frequently than they ever exchanged programs, or EXE files), macro viruses quickly became an ever-present, ever-troublesome problem.

https://nakedsecurity.sophos.com/2015/09/28/why-word-macro-malware-is-back-and-what-you-can-do-about-it/

Part of the problem was that that the vast majority of users, who didn’t really need VBA at all, were forced to have it installed and enabled by default.

Even those who didn’t want it and knew they didn’t want it couldn’t choose to skip the VBA part at installation time, or reliably turn it off afterwards.

For years, the cybersecurity industry urged Microsoft to change the Office defaults to allow installs where VBA functionality could be turned off (at the least), omitted entirely if desired (better still), or not installed by default at all (best of all).

The answer was always a resounding “No”.

Microsoft’s annoying, but understandable, argument was that endpoint software products generally get judged, by users and reviewers alike, based on what they do “out ot the box”.

Redmond suggested that full-power-Office-with-non-default-VBA would quickly become known in the market as a low-end-document-suite-with-no-macro-support-at-all, and thus the company would effectively be undermining its own product to give more aggressive competitors an unfair advantage.

(We’ve simplified enormously, but you get the idea, and anyone who has ever worked in a product management department or in product marketing will probably sympathise with Microsoft’s position. If your regular product already has features that influential customers expect, you don’t do yourself any favours by pretending that it doesn’t.)

Gradual restrictions and improvements

Ultimately, Microsoft did come to the cybersecurity party, and made steady changes to the VBA ecosystem that definitely helped to curb the virus writers’ “free-for-all” that existed in the late 1990s.

Sample security-related changes include:

More change coming soon

We still haven’t reached the point where an informed user with a local Office installation can remove VBA entirely and open Office files in a world in which VBA cannot work, rather than simply not working (which is nearly, but ultimately not at all, the same thing).

But Microsoft claims that this year’s Office 2203 releases will have one significantly different default – different by Redmond’s standards, anyway:

VBA macros obtained from the internet will now be blocked by default.

For macros in files obtained from the internet, users will no longer be able to enable content with a click of a button. A message bar will appear for users notifying them with a button to learn more. The default is more secure and is expected to keep more users safe including home users and information workers in managed organizations.

It took us ages to figure out the version number 2203. Having lived through Y2K – and, indeed, having been on duty in SophosLabs at that magical midnight hour, we’ve naively assumed that no one in the world, let alone anyone in IT or computer science, would now knowingly write the year as YY instead of YYYY. But 2203 apparently refers to “March 2022”, which means official releases starting in early April 2022.

According to Microsoft, any document tagged as having come from the internet, e.g. an email attachment or a web download, will be treated as though it contains no macros.

By default, you won’t be able to enable the macros from inside Office, even if you’re convinced (or are certain) that the macros are both expected and trustworthy.

Instead, says the report, you’ll see this:

Not exactly a victory over VBA malware

We’re delighted to see this change coming, but it’s nevertheless only a small security step for Office users, because:

For further information, consult Microsoft’s official article, Macros from the internet will be blocked by default in Office.


Exit mobile version