Microsoft rolls back plan to block macros by default

Microsoft rolls back plan to block macros by default

Back in February I applauded Microsoft for taking a decisive step in the fight against macro malware. Here’s part of what I wrote:

…more than 25 years after it first distributed the Concept virus on CD-ROM and kickstarted the whole problem, Microsoft has done something which might be more successful at stopping the spread of macro malware.

Microsoft has announced that… it is changing the default behavior of Office applications so that they block macros in files from the internet.

What’s more, it won’t give users a simple one-click way to allow the macros to run, foiling much of the social engineering tricks commonly used by cybercriminals.

According to Microsoft, its products would no longer display a yellow warning strip along the top of documents containing macros which – with some clever social engineering – could dupe unsuspecting users into clicking an “Enable Content” button and allowing the malicious macros to run.

Security warning

Instead, the new design would see a redesign (no more yellow. hello red strip!) without an oh-so-tempting-and-oh-so-dangerous “Enable content” button.

Red strip

SECURITY RISK: Microsoft has blocked macros from running because the source of this file is untrusted. <Learn More>

Unfortunately, things haven’t gone as smoothly as Microsoft (and, indeed, the rest of us) might have hoped:

Update on July 6, 2022: Based on feedback, we’re rolling back this change from Current Channel. We appreciate the feedback we’ve received so far, and we’re working to make improvements in this experience. We’ll provide another update when we’re ready to release again to Current Channel. Thank you.

In other words, Microsoft has rolled back its plans. Which is good news for hackers who can continue to rely on the years-old technique of hiding malicious macros inside Office documents – for now at least.

Sign up to our free newsletter.
Security news, advice, and tips.

Hopefully Microsoft will resolve whatever issues have bubbled up with its planned macro block, and will have another stab soon at killing such a common vector of attack.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.