Office macro security: on-again-off-again feature now BACK ON AGAIN!

The phrase Office macros is a harmless-sounding, low-tech name that refers, in real life, to program code you can squirrel away inside Office files so that the code travels along with the text of a document, or the formulas of a spreadsheet, or the slides in a presentation…

…and even though the code is hidden from sight in the file, it can nevertheless sneakily spring into life as soon as you use the file in any way.

Those hidden macros, indeed, can be configured (by the sender, not by the recipient, you understand!) to trigger automatically when the file is opened; to override standard items in Office’s own menu bar; to run secondary programs; to create network connections; and much more.

Almost anything, in fact, that you could do with a regular .EXE file, which is the sort of file that few of us would willingly accept via email at all, even from someone we knew, and that most of us would be deeply cautious about downloading from a website we didn’t already know and trust.

Fighting back against cybercriminals

Thanks to macros and the hidden programming power they provide, Office documents have been widely used by cybercriminals for implanting malware since the 1990s.

Curiously, though, it took Microsoft 20 years (actually, closer to 25, but we’ll be charitable and round it down to two decades) to block Office macros by default in files that arrived over the internet.

As regular Naked Security readers will know, we were as keen as mustard about this simple change of heart, proclaiming the news, back in February 2022, with the words, “At last!”

To be fair, Microsoft already had an operating system setting that you could use to turn on this safety feature for yourself, but by default it was off.

Enabling it was easy in theory, but not straightforward in practice, especially for small businesses and home users.

Either you needed a network with a sysadmin, who could turn it on for you using Group Policy, or you had to know exactly where to go and what to tweak by yourself on your own computer, using the policy editor or hacking the registry yourself.

So, turning this setting on by default felt like an uncontroversial cybersecurity step forward for the vast majority of users, especially given that the few who wanted to live dangerously could use the aforementioned policy edits or registry hacks to turn the security feature back off again.

Apparently, however, these “few” turned out [a] to be more numerous than you might have guessed and [b] to have been more inconvenienced by the change than you might have expected:

Notably, many people using cloud servers (including, of course, Microsoft’s own online data storage services such as SharePoint and OneDrive) had got used to using external servers, with external servernames, as repositories that their friends or colleagues were expected to treat as if they were internal, company-owned resources.

Remember that old joke that “the cloud” is really just shorthand for “someone else’s computer”? Turns out that there’s many a true word spoken in jest.

Organisations that relied on sharing documents via cloud services, and who hadn’t taken the appropriate precautions to denote which external servers should be treated as official company sources…

…found their macros blocked by default, and voiced their displeasure loudly enough that Microsoft officially relented around the middle of 2022.

Within 20 weeks, a change that cybersecurity experts had spent 20 years hoping for had been turned off once more:

The good news amongst the bad news, though, was that Microsoft made it clear that this on-by-default setting would definitely be coming back, possibly quite soon, just as soon as the company felt it had got the message across more clearly about the how, why and wherefore of the change:

Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability. This is a temporary change, and we are fully committed to making the default change for all users.

[…] We will provide additional details on timeline in the upcoming weeks.

Well, that “upcoming week” arrived more quickly than we’d dared to hope, with Microsoft updating its updated announcement on 20 July 2022 to say (our emphasis):

We’re resuming the rollout of this change in Current Channel. Based on our review of customer feedback, we’ve made updates to both our end user and our IT admin documentation to make clearer what options you have for different scenarios. For example, what to do if you have files on SharePoint or files on a network share.

There you have it!

What to do?

The hows, whys and wherefores of Office macro security are now officially explained in two Microsoft documents:

It’s a small step, and it took 20 years plus an on-off-on-again default-flipping palaver to complete that step…

…but we’re all for it.


go top