Getty Images
Microsoft surprised key parts of the security community by quietly reversing course and allowing untrusted macros to open in Word and other Office programs.
Software maker in February announced a major change it said it was enacted to combat the growing scourge of ransomware and other malware attacks. In the future, macros downloaded from the Internet will be completely disabled by default. Previously, Office provided alert banners that could be ignored with the click of a button, the new alerts do not provide a way to enable macros.
“As we have done here, we will continue to adjust our user experience for macros by maintaining a path for running legitimate macros through Trusted Publishers, where appropriate, to make it harder for users to be tricked into running malicious code through social engineering.” / or Safe Places,” wrote Microsoft Office Program Manager Tristan Davis explains why for movement.
Security experts — some of whom have watched customers and employees become infected with ransomware, wipers and spyware for the past two decades — welcomed the change.
“Product management is very poor”
Now, citing undisclosed “feedback,” Microsoft has quietly reversed course. In comments like this Before the February announcement on Wednesday, various Microsoft employees wrote: “Based on feedback, we’re rolling back this change from Current Channel production. We appreciate the feedback we’ve received so far and are working to make improvements to this experience.”
The brief acceptance came in response to user comments asking why the new banners no longer look the same. Microsoft officials did not respond to questions from forum users asking what feedback caused the rollback or why Microsoft did not notify them before rolling out the change.
“This new default behavior feels like something has been overridden recently,” said user Vincehardwick. he wrote. “Maybe Microsoft Defender is unblocking?”
After learning that Microsoft had taken back the block, Vincehardwick alerted the company. User writes: “It is very poor product management to revert a recently implemented change to default behavior without at least announcing that the revert will occur.” “I appreciate your apology, but it shouldn’t have been necessary in the first place, Microsoft is not new to this.”
Security experts in social networks regretted this change of situation. This tweetthe head of Google’s threat analysis team, which investigates nation-state-sponsored hacking, was typical.
“Sad decision,” Google employee Shane Huntley wrote. “Blocking office macros would do more to defend against real threats than all the threat intel blog posts.”
Sad decision. Blocking Office macros would do infinitely more to protect against real threats than all the threat intel blog posts.
I always see our primary mission in threat intelligence as managing change to protect people. https://t.co/JFMeyzefov
— Shane Huntley (@ShaneHuntley) July 8, 2022
Not all experienced defenders criticize this move. Former NSA hacker Jake Williams, now executive director of cyber threat intelligence at security firm SCYTHE, said the change was necessary because the previous schedule was too aggressive on the deadline to roll out such a big change.
“It’s not the best in terms of security, but it’s what many of Microsoft’s biggest customers need,” Williams told Ars. “The decision to cut macros by default will affect critical workflows for thousands (more?) of businesses. It takes more time for the sun to set.”
Microsoft PR has not commented on the change in the nearly 24 hours since it first surfaced. The rep told me she was checking on the status.
