Microsoft backtracks on change to block Office macros, despite security concerns
“To say I'm disappointed is an understatement."
Microsoft has quietly rolled back a change to block Office macros sourced from the internet just one month after pushing it out on the default update channel, and said it is “working on improvements”.
The software giant said it would block macros bearing the “Mark of the Web” from running in Word, Excel, PowerPoint, Access and Visio back in February, due to the extreme security risk of allowing unchecked code to run. Office macros have been used for nefarious purposes since the 1990s, including 1999’s Melissa virus.
Unfortunately, many users strongly objected to the decision to block Office macros, as the ubiquitous tools are extremely useful – and while there are ways to work around the block, these are cumbersome and awkward. User complaints can be seen in the comment thread under Microsoft’s February announcement.
See also: Microsoft’s finally disabling “security horror” Excel XLM macros by default
Fittingly, that’s where news of the change broke yesterday. User Vince Hardwick was trying to reproduce the blocking notification, only to discover it didn’t appear, and in response to his query a Microsoft representative confirmed the change had been rolled back.
“Based on feedback received, a rollback has started. An update about the rollback is in progress. I apologize for any inconvenience of the rollback starting before the update about the change was made available,” said the rep.
On Microsoft’s documentation page about the change to block Office macros, the firm also posted an update: “Based on feedback, we're rolling back this change from Current Channel. We appreciate the feedback we’ve received so far, and we’re working to make improvements in this experience. We’ll provide another update when we’re ready to release again to Current Channel. Thank you.”
That announcement appears under a table detailing how the change to block Office macros would be rolled out. Until a few days ago, the table showed the change implemented for the Current Channel on 6 June, with the Monthly Enterprise Channel due to see the change in July 2022, and the Semi-Annual Enterprise Channel in September 2022 for preview, then January 2023 for all.
Now the table shows only the Current Channel Preview release in April 2022 – all other channels are “TBD”.
Condemnation of Microsoft’s volte-face on the change was swift and strong. Former Microsoft security researcher Kevin Beaumont – who pointed out in February that macros account for about a quarter of ransomware entry – said on Twitter “To say I'm disappointed is an understatement”.
https://twitter.com/GossiTheDog/status/1545197101688274944
Eva Galperin, director of cybersecurity at the EFF, said: “This is a terrible idea. I've lost track of the number of campaigns I saw targeting civil society that used office macros to install malware.”
Hardwick, the commenter who first noticed the change, also made his frustration known in the comment thread: “Rolling back a recently implemented change in default behaviour without at least announcing the rollback is about to happen is very poor product management.
“We've been scrambling to obtain a digital certificate for signing our VBA projects since I first became aware of the impending update in mid-June... then immediately after we've incurred that expense and got things working again in the least inconvenient way for our customers, Microsoft just flip a switch without telling anybody? You've got us jumping from one foot to the next and having to second guess what the next volte face is going to be,” he added.
But the next commenter welcomed the change, and is unlikely to be the only one: “MOTW is for advanced teams. Your standard SMB and even mid-sized businesses are going to implode if this gets fully implemented in it's [sic] current form. You seem to be catering to enterprises now that have very large teams of people to manage your products, and that's simply not the case for most of the user base. It needs to be simplified before it's released, and moreso, it needs to be effectively communicated.”
The Stack has asked Microsoft for a comment and information on its plans to block Office macros.