Microsoft surprised key players in the security community by deciding to quietly reverse course and allow untrusted macros to open by default in Word and other Office applications.
In February, the software maker announced a major change it said it had adopted to combat the growing scourge of ransomware and other malware attacks. In the future, macros downloaded from the Internet would be completely disabled by default. Whereas previously Office provided warning banners that could be dismissed with a single click, the new warnings would provide no way to enable macros.
“We will continue to adjust our user experience for macros, as we have done here, to make it harder to trick users into running malicious code via social engineering while maintaining a path for macros are enabled where appropriate through trusted publishers and/or trusted locations,” Microsoft Office program manager Tristan Davis wrote, explaining the reason for the move.
Security professionals, some of whom have spent the past two decades watching customers and employees infected with ransomware, windshield wipers and espionage with frustrating regularity, applauded the change.
“Very poor product management”
Now, citing undisclosed “comments”, Microsoft has quietly reversed course. In comments like this one posted Wednesday to the February announcement, various Microsoft employees wrote, “Based on the feedback, we are reverting this change to Current Channel production. We appreciate the feedback we’ve received so far and are working to make improvements to this experience.
The terse admission came in response to user feedback asking why the new banners no longer look the same. Microsoft employees did not respond to questions from forum users asking what comments caused the reversal or why Microsoft did not communicate it before rolling out the change.
“Looks like something overridden this new default behavior very recently,” wrote a user named vincehardwick. “Maybe Microsoft Defender is overriding the block?”
After learning that Microsoft had reversed the block, Vincehardwick reprimanded the company. “Undoing a recently implemented change in default behavior without at least announcing that the rollback is about to happen is very bad product stewardship,” the user wrote. “I appreciate your apology, but it really shouldn’t have been necessary in the first place, it’s not like Microsoft is new to this.”
On social networks, security professionals deplored the reversal. This Tweeterfrom the head of Google’s threat analysis group, which investigates nation-state-sponsored hacking, was typical.
“Sad decision,” wrote Google employee Shane Huntley. “Blocking Office macros would do infinitely more to defend against real threats than all the threat blog posts.”
Sad decision. Office macro blocking would do infinitely more to defend against real threats than all the threat blog posts.
I still see that our primary mission in threat intelligence is to drive change to protect people. https://t.co/JFMeyzefov
—Shane Huntley (@ShaneHuntley) July 8, 2022
However, not all experienced defenders are critical of this decision. Jake Williams, a former NSA hacker who is now executive director of cyber threat intelligence at security firm SCYTHE, said the change was necessary because the previous timeline was too aggressive in the timeframe for rolling out such a change. major.
“While it’s not the best for security, it’s exactly what many of Microsoft’s biggest customers need,” Williams told Ars. “The decision to cut default macros will impact thousands (more?) of business-critical workflows. It takes longer for sunset.
Microsoft PR hasn’t provided any comment on the change in the nearly 24 hours since it first appeared. A rep told me she was checking the status.