Microsoft pauses macro security plan, unclear on why

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

On February 7, 2022, Microsoft announced that it would begin auto-disabling Visual Basic for Applications (VBA) macros. Security experts celebrated Microsoft’s decision as an important step in preventing malware from infiltrating both enterprise and home networks at the point of entry. 

The feature, which began rolling out in April, blocks VBA macros by default for five Office apps that run macros, including Access, Excel, PowerPoint, Visio and Word on devices running Windows.

Comments posted on Microsoft 365 Blog (365) last Thursday, July 7, by users who noticed that macros suddenly were no longer auto-disabled and that the warning window had different language, eventually revealed that the rollout had been stopped with no announcement from Microsoft. Hours went by and there was only one vague comment confirming that the rollout had been suspended, but that the forum admin didn’t have any additional information.

Auto-disabling temporarily paused – then reinstated … maybe

“Based on feedback, we’re rolling back this change from Current Channel,” the company notified admins in the Microsoft 365 message center (under MC393185 or MC322553) on Thursday. It’s unknown how long the temporary pause will last or what feedback specifically played a role in making the decision to pause the much anticipated rollout. 

The company has yet to publicly inform customers that VBA macros embedded in malicious Office documents will no longer be blocked automatically in Access, Excel, PowerPoint, Visio and Word.

The decision was met with criticism. “It’s unfortunate and disappointing that Microsoft is walking back their security … around office macros. Disabling office macros by default would have been a huge step forward for securing one of the most tried and tested attack paths,” said Ian McShane, VP of Strategy at Arctic Wolf. “Whether this was rolled back due to technical concerns or customer feedback, office users are less secure today than they were last week.” 

According to Microsoft, this security improvement was going to roll out to Office update channels such as Current Channel, Monthly Enterprise Channel, and then Semi-Annual Enterprise Channel at a later date. 

Security with enhanced usability

The most recent update has just been published on the 365 blog:

Update 7/8/2022:

Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability. This is a temporary change, and we are fully committed to making the default change for all users. 

Regardless of the default setting, customers can block internet macros through the Group Policy settings described in this article. 

We will provide additional details on timeline in the upcoming weeks.

While Microsoft has not shared the negative feedback that led to the rollback of this change,  some users have reported that they are unable to find the Unblock button to remove the Mark-of-the-Web from downloaded files, making it impossible to enable macros.

Originally appeared on: TheSpuzz