Getty Images
Microsoft stunned key parts of the security community with its decision to quietly reverse course and allow untrusted macros to open by default in Word and other Office applications.
In February, the software maker announced a major change it said it had implemented to combat the growing scourge of ransomware and other malicious attacks. In the future, macros downloaded from the Internet will be completely disabled by default. While Office previously provided warning banners that could be ignored with the click of a button, the new warnings will not provide such a way to enable macros.
“We will continue to adjust our user experience for macros, as we have done here, to make it harder to trick users into running malicious code through social engineering, while maintaining a path for legitimate macros to be enabled where appropriate.” through Trusted Publishers and/or Trusted Locations,” wrote Microsoft Office program manager Tristan Davis, explaining the reason for the move.
Security professionals — some who have spent the past two decades watching customers and employees become infected with ransomware, cleaners and spyware with frustrating regularity — welcomed the change.
“Very poor product management”
Now, citing undisclosed “feedback,” Microsoft has quietly reversed course. In comments like this one posted Wednesday to the February announcement, various Microsoft employees wrote, “based on feedback, we’re rolling back this change from Current Channel production. We appreciate the feedback we’ve received so far and are working to improve this experience.”
Advertising
The brief acknowledgment came in response to user comments asking why the new banners no longer looked the same. Microsoft officials did not respond to questions from forum users asking what feedback caused the reversal or why Microsoft didn’t communicate it before the change was released.
“Looks like something overrode this new default behavior very recently,” wrote a user named vincehardwick. “Maybe Microsoft Defender is unblocking?”
After learning that Microsoft had lifted the block, Winhardwick alerted the company. “Reversing a recently introduced default behavior change without at least announcing that a rollback is about to happen is very poor product management,” the user wrote. “I appreciate your apology, but it really shouldn’t have been necessary in the first place, it’s not like Microsoft are new to this.”
On social media, security experts bemoaned the reversal. This tweet from the head of Google’s threat analysis group, which investigates nation-state-sponsored hacking, was typical.
“Sad decision,” Google employee Shane Huntley wrote. “Blocking Office macros would do infinitely more to actually protect against real threats than all of Intel’s threat blog posts.”
Sad decision. Blocking Office macros would do infinitely more to actually protect against real threats than all of Intel’s threat blog posts.
I always see our core mission in threat intelligence as driving change to protect people. https://t.co/JFMeyzefov
— Shane Huntley (@ShaneHuntley) July 8, 2022
However, not all seasoned defenders criticize the move. Jake Williams, a former NSA hacker who is now executive director of cyber threat intelligence at security firm SCYTHE, said the change was necessary because the previous schedule was too aggressive in the deadline to implement such a major change .
“While it’s not the best for security, it’s exactly what many of Microsoft’s biggest customers need,” Williams told Ars. “The decision to break default macros will affect thousands (more?) of business-critical workflows. More time is needed until sunset.”
Microsoft PR has not provided comment on the change in the nearly 24 hours since it first appeared. A representative told me they were checking the status.
Add Comment