LENSHIKER - stock.adobe.com
Microsoft has moved to reassure users of the Microsoft 365 Apps for enterprise suite that its decision last week to rollback new cyber security measures blocking the use of Visual Basic for Applications (VBA) by default macros is a temporary measure, and the policy will be reenacted in the near future.
The reversal of the blocking policy – which was implemented to better protect Office users, particularly remote ones, from inadvertently downloading malware by throwing extra layers of security in their way – caught users by surprise, with many frustrated that the change was not communicated to them.
The rollback also caused confusion in the security community, as the policy appeared to have been working quite well, with threat actors forced to switch up their campaign tactics because it was becoming less effective to simply spam users with tainted .docx or .xlsx files.
Redmond has now responded to the questions raised by the rollback, and revealed that it took the decision to suspend the policy while it makes some needed tweaks.
“Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability,” a Microsoft spokesperson told Computer Weekly in comments emailed on 11 July.
“This is a temporary change, and we are fully committed to making the default change for all users,” they added. “Regardless of the default setting, customers can block internet macros through the Group Policy settings described in this article.
“We will provide additional details on timeline in the upcoming weeks.”
Read more about Microsoft product security
- The last Patch Tuesday in its current form is overshadowed by persistent concerns about how Microsoft deals with vulnerability disclosure.
- Malicious Word documents have been used to invoke a previously undisclosed vulnerability in Microsoft Office without user interaction through Windows utility functions.
- Microsoft patched a critical Azure Synapse vulnerability twice, but each time the researcher who discovered it was able to bypass it with ease, leading to a lengthy saga.
As the above-linked article makes clear, it is still perfectly possible to block VBA macros in Microsoft 365 Apps for enterprise, but until Microsoft reverts to blocking by default, this feature will need to be implemented by admins.
Microsoft does recommend blocking macros from running in Office files from the internet as part of the security baseline for Microsoft 365 Apps for enterprise, and broadly speaking, admins should do so for most users, making exceptions only in very specific circumstances.
Admins will need to enact blocking separately for each of the five applications that were in scope of the policy by navigating to the Group Policy Management Console under User Configuration\Policies\Administrative Templates.
For Access, this will be Microsoft Access 2016\Application Settings\Security\Trust Center; for Excel, Microsoft Excel 2016\Excel Options\Security\Trust Center; for PowerPoint, Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center; for Visio, Microsoft Visio 2016\Visio Options\Security\Trust Center; and for Word, Microsoft Word 2016\Word Options\Security\Trust Center.
Alternatively, admins can use the VBA Macro Notifications Settings to manage how macros are handled by Office. Doing so will prevent users from being lured into enabling malicious macros by displaying a Trust Bar with a warning that macros are present but disabled. Users will still be able to inspect and even edit files, but can’t use any disabled functionality without clicking through to enable that on the Trust Bar, in which case the file will be added as a Trusted Document, and macros allowed to run. This policy can be enabled across the five in-scope applications by navigating to the same locations as listed above.
Note that these policies only apply to Microsoft 365 Apps for enterprise, not Microsoft 365 Apps for business.