Back in February I applauded Microsoft for taking a decisive step in the fight against macro malware. Here’s part of what I wrote:
…more than 25 years after it first distributed the Concept virus on CD-ROM and kickstarted the whole problem, Microsoft has done something which might be more successful at stopping the spread of macro malware.
Microsoft has announced that… it is changing the default behavior of Office applications so that they block macros in files from the internet.
What’s more, it won’t give users a simple one-click way to allow the macros to run, foiling much of the social engineering tricks commonly used by cybercriminals.
According to Microsoft, its products would no longer display a yellow warning strip along the top of documents containing macros which – with some clever social engineering – could dupe unsuspecting users into clicking an “Enable Content” button and allowing the malicious macros to run.
Instead, the new design would see a redesign (no more yellow. hello red strip!) without an oh-so-tempting-and-oh-so-dangerous “Enable content” button.
SECURITY RISK: Microsoft has blocked macros from running because the source of this file is untrusted. <Learn More>
Unfortunately, things haven’t gone as smoothly as Microsoft (and, indeed, the rest of us) might have hoped:
Update on July 6, 2022: Based on feedback, we’re rolling back this change from Current Channel. We appreciate the feedback we’ve received so far, and we’re working to make improvements in this experience. We’ll provide another update when we’re ready to release again to Current Channel. Thank you.
In other words, Microsoft has rolled back its plans. Which is good news for hackers who can continue to rely on the years-old technique of hiding malicious macros inside Office documents – for now at least.
Hopefully Microsoft will resolve whatever issues have bubbled up with its planned macro block, and will have another stab soon at killing such a common vector of attack.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.