After Decades of Abuse, Microsoft Adds an Anti-Macro-Malware Feature To Office

An anonymous reader writes: Microsoft is finally addressing the elephant in the room in terms of security for Office users and has announced a new feature in the Office 2016 suite that will make it harder for attackers to exploit macro malware. Sysadmins can now use group policies to disable the execution of macro scripts that retrieve content off the Internet, a tactic used by malware developers to trick users into allowing the download & automatic installation of malware on their PCs. "Macro malware" as this category is known, is the preferred method of distribution for most malware these days, especially ransomware.

Sadly needed

[phishybongwaters]

It's sad that we actually need them to provide this, but users are idiots. Users click buttons. Users click "agree". Users click "run macro" users ignore "this could be dangerous". Lets go a step further and just straight up remove macros completely. There is no need for macro support, no one actually uses these features other than malware. Get rid of it.

Re:Sadly needed

[Coisiche]

There is no need for macro support, no one actually uses these features

I've certainly never required one for Word but there have been several occasions where something I wanted to do in Excel could only be achieved by writing a macro. Oh sure, I perhaps *could* have managed without resorting to a macro but one instance I'd have probably still have been working on the task several years later... on the other hand maybe I wouldn't have been made redundant from that job if I hadn't tried to be efficient.

Re:Sadly needed

Macros are very useful. But they are supposed to be only for performing some function(s) on a document. Allowing a macro to launch an external executable file is a massive design fail.

Re:Sadly needed

[Z00L00K]

And Microsoft has also made this possible by hiding the extension of files in the UIs making it a lot easier for evil people to trick stupid people into clicking on files that they think are images but actually are an executable.

Re: Sadly needed

[cyber-vandal]

No one apart from all their people that do.

Re:Sadly needed

[mrprogrammerman]

The problem is if they are stupid, the extension showing probably wouldn't make a difference. I think technical people are more annoyed by that setting because they realize that even though something is an image it could be an executable or something else.

Re:Sadly needed

[jellomizer]

Macros are dangerous.
The key problem isn't security but the fact it gives non-programmers access to a development platform, where they make their own little programs, they get popular and grow to a point where they are impossible to maintain. Because they were designed my non-programmers there is little to no design to its setup.

Re:Sadly needed

Users has to click "run macro" and "could be dangerous" hundreds times - it is normal to do this with less attention at the end.

Re:Sadly needed

[Z00L00K]

Even if it would make a difference to 10% it would be valuable. Hiding the extension is still extremely stupid, and when it's hidden it's necessary to do additional work to investigate the file to reveal if it is dangerous or not.

Re:Sadly needed

[plover]

Except even that is too much. Allowing a macro to modify an external file is chock full of fail. If the restriction is limited to "preventing execution", then attackers will just write a macro to modify a file type that embeds malware when it's viewed. Imagine a Word document containing a macro writing a .PDF document, and in that PDF it has the malware to infect the machine. The macro has a large, friendly button that says "Click here to produce a PDF version to share with your friends", which is irriyou then send around. Same result - cryptolocker for everyone!

Even allowing macro-infested documents to read external data sources of any kind (files) is risky, because the macro could still be capable of grabbing a copy of SekritPasswords.docx and shipping it to a server in Elbonia.

Would this kind of security break stuff? Some. In the past I've written a macro that parsed a bunch of log files, analyzed the contents, and produced the results in a chart in Excel. But as long as I'm not emailing it or downloading it from the internet, the macro would keep working.

Re:Sadly needed

I'm not a Windows users, but I've seen friends using Windows and getting e-mails from work with documents attached to it. They always have to click 'agree' and 'Yes' on every security and potential danger messages to simply be able to read or edit those documents. They need to accept the risks to get their job done. I never understood the security behind these messages. It is simply Microsoft saying "I is not our fault when something goes wrong. It is you, the user who clicked 'yes' and 'agree'".

Re: Sadly needed

[Billly+Gates]

Why should users care? Not their computers and the IT guys problem.

Most don't do that at home. But the IT guys can take the fall for ransomware for not securing them so why not? Some where I work laugh at us when they unplug and move shit and their supervisor blames us. It's funny.

I believe 80% of users know better but do it anyway if it was from a client or boss ... Only at the office of course

Re: Sadly needed

What's a "programmer?" The person that follows the "process" yet still manages to write shit code?

Re: Sadly needed

Because "The Boy Who Cried Wolf," variations of which are taught to most children in most cultures, isn't a fable retained by user interface designers.

Re:Sadly needed

[edtice1559]

Except that in Macro Malware, this would actually make the problem worse. People might know not to click on executables and many "endpoint protection" packages will create a popup warning. Also Windows does a great job of tagging files as "downloaded from the internet" and requiring extra user confirmations before taking certain actions. But one thinks of an Excel file as data, not as code. People will open Excel select File/Open and then pick the XLSX with extension showing and get infected.

Re:Sadly needed

[Ed+Avis]

If Microsoft bothered to distinguish between 'opening' a file and 'running' a program - and double-click would only open, not run - then at least part of the problem would be fixed. But since the earliest days of Windows, the same verb 'Open' has been used for both operations. We can't blame users if they have been trained that double-clicking is the standard way to open a file (surely a safe operation in any sanely written system) but then the OS turns it into the much more dangerous operation of running a program.

Re:Sadly needed

The solution is simple, don't use excel.

Re:Sadly needed

[mitcheli]

I noticed this article was from the " fond-memories-of-weird-greenpeace-macro dept". And due to the hiding of extensions in the UI, I would be remiss to not remember the time that a general in the military confessed his undying love to me in an email ... with an email to follow about 20 minutes later telling us all to turn off our emails. ... Conspiracy theories abound...

Re:Sadly needed

As a general rule if you think the solution to a problem is an Excel macro the reality is that you should be using a real database and not Excel.

Re:Sadly needed

[hoggoth]

Prepare for it to get a lot worse when we all have Turing-complete toothbrushes and our heart pace-makers can download ringtone-beat-patterns!

Re:Sadly needed

[JimFive]

I disagree with your solution. Double click should only run, not open. You should run your word processor and then open a document with it. Allowing a document to open on double click means that some program is going to run, the user should have to explicitly select which one.
--
JimFive

Re:Sadly needed

[MoarSauce123]

Some use it and office automation is a big deal to some. What I do not understand is that an app macro engine has that easy access to the big knob of the OS. Other than saving files of specific types to designated and controlled areas an Office Suite needs no further resources aside from capturing keyboard and mouse entries and sending video data to the display driver. I think that the way Microsoft implemented macros, but also font handling and other functions is significantly flawed. The "fix" is the typical Microsoft non-fix, throw up a dialog that typically does nothing more than annoy the user and call it "patched". Besides that, the "fix" only goes into Office 2016, what about all the other supposedly still supported versions of MSO? Nevertheless, you may be on to something. Neither OO nor LO or other alternative office suites have macro support, security might just be a reason for that.

Fail

This doesn't stop a macro from dropping an embedded executable which will then do the call out on behalf of the macro.

Re:Fail

[softnewsit]

I don't understand this scenario. Can you explain? From where is this embedded executable retrieved? if it's inside the Word document itself, then it's the antivirus' problem to scan it and detect it. Isn't it?

Re:Fail

[Bert64]

Yes and no, the format is sufficiently opaque that it's difficult to scan for embedded files, and you could always embed something benign (eg a copy of wget) and call it with appropriate arguments to download additional malicious payloads.

Re:Fail

anti-virus is always too late by definition. There will always be at least one person who will be successfully attacked.

I guess you must be a person from a TLA (three letter agency) that does targeted attacks that always pass virus scanners.

And, of course. . . .

[Salgak1]

. . . no fixing extant versions of Office out there, and managing it by **GROUP POLICY**?? Really ? I guess that either:

(1) Home and student users are immune to macro viruses, or

(2) Microsoft is only worried about the security of its' corporate clients. . .

Re: And, of course. . . .

You can apply policy templates to the local security policy. So yeah. .home people could also do this. ..although having a ui to manage this would work better in the home use case. (I haven't checked if there will be a preference ui update to match though)

Re:And, of course. . . .

Corporate is where the cash is. They probably had complaints for years and finally decided to do something about it when they saw firms switching to LibreOffice or OpenOffice.

Re:And, of course. . . .

[kaur]

Dear Microsoft.
Please give us an example where a home user would benefit from the capability of Office documents to load anything from the web.
Does this benefit outweight the risk it creates?
How?

In other words -
DROP THIS BLOAT from your software, for all and for good.
With the exception of corporate users who, in a strictly controlled environment, might use it - GPO allowing.

Re:And, of course. . . .

[craigminah]

I use it to get stock quotes from Yahoo Finance and other sites.

Re:And, of course. . . .

. . . no fixing extant versions of Office out there, and managing it by **GROUP POLICY**?? Really ? I guess that either:

(1) Home and student users are immune to macro viruses, or

(2) Microsoft is only worried about the security of its' corporate clients. . .

Microsoft is worried about the REVENUE from its' corporate clients.

It should be painfully obvious that they really don't give a shit about security in and of itself.

Re: And, of course. . . .

[Salgak1]

And you expect home users to:

1. Load MMC.

2. Load up the Local Security Policy Plug-in

3. Configure the appropriate Local Security Policy

If Micro$loth were to release a one-click fix, MAYBE. But expecting the average Joe out there to correctly configure sysadmin tools is a bit of a stretch. . .

Re:And, of course. . . .

[AmiMoJo]

The summary is full of shit. Macros have been disabled by default for a decade now. Seriously, Office 2007 on my work PC requires me to manually enable macros every time I open a document. That's the default setting.

The only change seems to be that this policy can be altered and enforced by Group Policy.

Re: And, of course. . . .

If MS doesn't, as a freaking Linux administrator, even I could write a 1 line, 2 file 'batch' job to do it on home and student machines.

Secedit /import /db C:\fake\exportedfix.sdb /cfg NetworkShare\Policies\exportedfix.inf /areas securitypolicy /log C:\fake\whathappened.log /quiet

Done, but yeah fuck microsoft. That was super hard and took 2 minutes of a google search.

Re:And, of course. . . .

People click past these things. They have become conditioned to think that this is normal as they don't understand the full implications of saying yes.

Re: And, of course. . . .

[Salgak1]

And, again, the magic word, ADMINISTRATOR.

We're not talking admin-level users, with sufficient clue to google and use that data to create a solution.

We're talking Generic-users. The sort that, 20 years ago, were calling into Help Desk to report that they had broken their computer's cup holder, or that they couldn't insert disk 3 of 7, as no more disks would fit into the slot.. .

You know. . . Trump voters. . .

Re: And, of course. . . .

[jbmartin6]

The current versions of Office allow users to globally disable macros with no popup to enable them. But of course this is rarely used since ignorant (just a description, not a condemnation) users don't want to break anything. Perhaps MS could disable macros completely by default for non-enterprise editions.

Re: And, of course. . . .

You missed the first one:

0. Have a Pro edition of Windows.

Seriously. Only Pro editions and "higher" (Ultimate, Enterprise, etc.) have the policy snap-ins to manage policies. Even the policy enforcement system is gimped in the Home editions of Windows. There's still a way to force policies into them via command line scripting, but a good portion of the time, they don't work because the enforcement system flat-out ignores Home editions.

Also, Home editions of Windows can't be joined to a domain, so "group" policy is pretty meaningless.

Re:And, of course. . . .

[R.Mo_Robert]

The summary is full of shit. Macros have been disabled by default for a decade now. Seriously, Office 2007 on my work PC requires me to manually enable macros every time I open a document. That's the default setting.

The only change seems to be that this policy can be altered and enforced by Group Policy.

This is about blocking macros that connect to the Internet, not macros themselves. You are correct that macros have been disabled by default for documents that come from locations that are not marked in Office as "trusted," with a notification that allows you to enable them if desired. This is different, as it affects only a subset of macros and does not allow the user to un-block them. (Also, being able to control macro settings via Group Policy is not new.)

This sounds like a good move to me. I can't recall ever seeing a macro that had a legitimate need to connect to the Internet.

Re: And, of course. . . .

[R.Mo_Robert]

You can apply policy templates to the local security policy. So yeah. .home people could also do this. ..although having a ui to manage this would work better in the home use case. (I haven't checked if there will be a preference ui update to match though)

I don't think any editions of Office 2016 apart from Professional Plus and up will read group policy. Most home users don't buy (rent?) those editions.

Re: And, of course. . . .

[Billly+Gates]

Then they would complain their offices ain't working to MS and return their computers for ones that work.

There already is a feature. It is called a warning in a yellow title bar.

If the user is stupid enough that is on them. MS should not get in the way.

However, these same users are careful at home. They are not stupid contrary to what is posted here. It is that they don't give a shit at work since they don't own them.

Notice how the company cars always get trashed but not the workers personal cars?

That's the IT guy's who read Slashdot problem. Not mine etc ..

Re: And, of course. . . .

[MachineShedFred]

as an administrator, you know there's a problem to Google a solution for.

Most people that fall prey to this malware don't even know these vulnerabilities exist until they are already compromised. That's the real problem here. Microsoft should disable this behavior by default, until the first time you try to use it, at which point it doesn't give you a 'shut up and go away' button, but makes you actually go into a setting panel somewhere and explicitly enable it with a nice big fat warning confirmation box.

TLDR: Opt-in versus opt-out.

Re:And, of course. . . .

[hankwang]

Macros have been disabled by default for a decade now.

That's not the point of TFA or even TFS. The point is that different enable/disable policies can be implemented for macros that connect to the internet versus macros that operate in a sandbox such as buttons in an Excel spreadsheet that manipulate the data inside the spreadsheet. Right now, it's all or nothing.

That said, I'd prefer that write access to local files is also restricted. It's fine if a macro can automatically import data from a file, but I'm not so fine with macros being able to write data (overwriting/encrypting files, creating .EXE files).

Re:And, of course. . . .

[AmiMoJo]

Sure, but the way the summary presents it you would be forgiven for thinking that previous versions of Office just ran any old crap they found embedded in documents, and that certainly is not the case.

Re:And, of course. . . .

obligatory xkcd https://xkcd.com/1172/

Re: And, of course. . . .

Well, Windoze always runs as Administrator (at least, that's what every software needs to install and run), so of coarse every user should be a qualified system administrator.

Re:And, of course. . . .

You can use the built-in data connection functionality. With it you can browse to a website and select an html table for import.

There isn't any reason that macros need to be a thing anymore, at least not in their current form anyways.

only the new version, huh?

and only via group policy?

when it could be an easily added in-application option (AND the default setting.. with group policy permissions to disable changing), for ALL versions.

Re:only the new version, huh?

[GrumpySteen]

it could be an easily added in-application option (AND the default setting.. with group policy permissions to disable changing), for ALL versions.

You think that updating, recompiling, testing and releasing 30+ versions of software released over the past 26 years is easy?

ROFLMFAO

Exempt Safe Macros

[Cacadril]

I always wondered why there is no distinction between macros that only modify the document in which they are embedded, and all other macros. Say, for instance a letter template that, upon instantiation, sets today's date, then removes all macros from the document.

Re:Exempt Safe Macros

There should be no such thing as an "unsafe" macro in the first place.

Re:Exempt Safe Macros

[someoneOtherThanMe]

Sun tried this 20 years ago with Java and Oracle is still busy with failing to do it properly.

Re:Exempt Safe Macros

[nine-times]

I always wondered why there is no distinction between macros that only modify the document in which they are embedded, and all other macros.

Why are there other macros? It seems to me that macros should only be able to modify the document in which they are embedded. If you need something other than that, then you don't need a macro-- you need some kind of different application. Like if you're cobbling together some elaborate database application by having a series of macros that write different things to different Excel files or something, you should give it up and admit you need a database application.

Let documents be documents. Opening a PDF or Word document should not have any ability to make changes to your filesystem.

Re:Exempt Safe Macros

There is. Sign your macro with a code signing certificate. Only allow macros to fire if they are signed by a trusted publisher. We've been doing this since 2001. It isn't that hard. Enforce this via group policy or the Office Customization Tool.

Re:Exempt Safe Macros

[Bob+the+Super+Hamste]

Sounds like a halting problem to me.

Re:Exempt Safe Macros

[Just+Some+Guy]

Seriously? No. You could make a Lists of functions you want to Control Access to - lets call them ACLs for short - then assign them to roles. Role "received from someone else" might have an ACL like:

• Allow edits to the current document
• Deny all

so that the macro could tear up its own home in all sorts of ways, but couldn't call functions like fetchFromRussiaExecuteAsAdmin(url).

Re:Exempt Safe Macros

I think the parent is talking about Java applets and Web Start. Had they been secure, today's web apps would have been dead on arrival because anything HTML can do Java could do better. It bought the ease and power of desktop development with the web's lack of software installation. Would you prefer developing in today's cluster fuck of web frameworks and languages or a single standardized library that supports everything you'd need? If only Sun had better C++ devs.

Re:Exempt Safe Macros

Like if you're cobbling together some elaborate database application by having a series of macros that write different things to different Excel files or something, you should give it up and admit you need a database application.

Then they'd have to admit they need to hire a DBA who can do SSRS, instead of having $9/hr Steve the HR assistant hack up a macro that works fine until it doesn't and all the employee records go kablooie. Ain't happening until they learn the hard way.

Re:Exempt Safe Macros

[PPalmgren]

The very act of a macro removing the macros from the document is at a high privilege level already, because it has the ability to modify the macros. A macro with the ability to modify a macro or save a file is already at the application layer and filesystem layer.

Also, certain tools can be used at different privilege levels. I've used FileSystemObject to write CSVs out of the files directly (write/create), and I've also used it just to get a directory list (read). I mean, you could blacklist certain parts of each command, but a lot of that stuff can be done about 100 different ways via different roundabout methods I can generate a new CSV without modifying anything but the current file, formatting a tab and saving it as a CSV then re-saving as the original, to get the exact same result as read/write access of the FSO scripting previously mentioned. The application layer also allows control of error handling/messaging and even screen updating, giving you the ability to do it covertly.

Everything about macros in these programs are very powerful, but they're also extremely useful, which is why they're used.

So Ribbon will be removed around 2018?

So that awful ribbon will be due for removal soon? 2018?

Did someone explain to them that icons are nouns, (pictures of THINGS) while actions are verbs (literally *acts*) which is why nobody copied that dumb POS they implemented? Better late than never.

Re:So Ribbon will be removed around 2018?

[Zontar+The+Mindless]

"Copy", "cut", and "paste" can be nouns, sure, but I doubt anyone thinks of the so-named icons as representing anything other than verbs.

Or how about "Back", "forward", "reload", ...?

icrosoft Adds an Anti-Macro-Malware Feature

[iamrakeshh]

Microsoft is only worried about office files

Software industry is a joke

[Solandri]

Manufacturing industry: Government says "Your product is dangerous. Come up with a fix and issue a recall at your expense to implement your fix in every product out there that you sold."

Toy industry: Government says "Your product is dangerous. Pull it off the market. Have the people who bought it return it, and give them their money back."

Software industry: "Our product is dangerous. I know! Let's fix it, but only put the fix in our latest version to force people to upgrade and pay us more money." Government says "Great! We'd like to buy a million copies of the new version."

Given Microsoft's history with free security updates, I thought they understood the difference between a bug fix and a feature upgrade. But between this and rolling out unwanted adware and spyware as "important updates" I guess not.

Re:Software industry is a joke

"Dangerous because it can fail under normal use" is not the same as "dangerous because it is vulnerable to a malicious attack". Have there been any product recalls due to the latter?

Re:Software industry is a joke

[wbr1]

A counter argument to this is that software would then so expensive that it would be beyond the average persons ability to purchase.

Re:Software industry is a joke

software would then so expensive that it would be beyond the average persons ability to purchase.

...or completely free and open source :-)

Re:Software industry is a joke

[rcase5]

The government requires auto manufacturers to have safety features that protect people in the event of a collision. A collision isn't considered "normal use", but they are required to safeguard against injury in the event of a collision. The spate of recalls due to defective airbags from Takata can be an example of a product feature being fixed that is supposed to deploy outside of normal use. Whether or not the collision is malicious is besides the point.

Re:Software industry is a joke

> software would then so expensive that it would be beyond the average persons ability to purchase.

You say that as if it was a bad thing.

Re:Software industry is a joke

A counter argument to this is that software would then so expensive that it would be beyond the average persons ability to purchase.

so we all suffer from bad software because you happen to be a bad accountant

Re:Software industry is a joke

"Dangerous" manufactured goods are considered so because they cause physical harm.

"Dangerous" software, at worst, causes only inconvenience.

Physical harm from dangerous software can only happen if dangerous hardware is running that software, and then you already have dangerous hardware that should be subject to scrutiny. There is simply no responsibility for software. That's why it's software.

Re:Software industry is a joke

[Doke]

So many things in our lives are computer controlled that there are lots of cases where bad software can be physically dangerous.

Volkswagon diesel cars, hospital computer networks, automated pharmacy dispening systems, industrial robots, elevators, bluetooth electric scateboards, etc.

Re:Software industry is a joke

So if some hack puts a potato in your tailpipe its clearly the automakers fault right?

Curse that hack-er for exposing the failure of the car designer!

Re:Software industry is a joke

[rcase5]

No, just as it wouldn't be Microsoft's fault if someone came in and disconnected all of the fans inside your PC so it could overheat and die. There are certain things Microsoft has control over, they've just been lazy (or stubborn) at doing something about them. Having a macro language that has the ability to install and execute a virus, or malware, or ransomware on your PC just isn't necessary. I mean, it's a fucking document! How much power do you need in a macro language for documents?!

Nobody would advocate to having car doors removable because it would be "totally cool" to see the road whiz by as you're driving 65mph down the highway. But some of Microsoft's software features in their products are tantamount to this very thing. It's silly, and it causes real harm to people and businesses.

Turn them off by default

[sjbe]

It's sad that we actually need them to provide this, but users are idiots. Users click buttons. Users click "agree". Users click "run macro" users ignore "this could be dangerous".

All true but that also indicates that the system is stupidly designed. Software companies have conditioned them to ignore warning messages and EULAs and pop up buttons. Users are concerned with getting their task done and asking them to worry about the security of the system is dooming the system to failure right from the start. Any developer that thinks my technologically naive mother is going to be able to deal with macro malware is an idiot.

There is no need for macro support, no one actually uses these features other than malware.

That's straight up false. There are some groups that HEAVILY use macros. The financial industry in particular uses the crap out of them in Excel. (save the snark - it works for them) What should probably happen is that user defined macros should be disabled by default for most users. And no they should be possible to enable via a pop up. I almost never use macros so I'd be happy to have a way to disable them quasi-permanently. They're little more than a malware vector for me but that doesn't mean they aren't useful to other people.

Re:Turn them off by default

[azcoyote]

Yeah, as a professor I use macros a lot for common tasks in writing papers and for managing my gradebook. The main problem with macros is that they are so stupidly designed and VBA is such a stupid, inconsistent, and insecure language. Macros are already disabled by default until you enable them via a popup, but there is no distinction between harmless operations and dangerous ones that could compromise a user's system. I think Visual Basic needs to be replaced with another language, and macro security needs to be redesigned from the ground up. But Microsoft never does anything so sensible.

Re:Turn them off by default

[jbmartin6]

You can disable them via a setting for anything except trusted locations, and manage this setting via GPO also.

Re: Turn them off by default

Well, no, because they'd have to ship a VBA compatibility layer. And since VBA already relies on a runtime environment, what would be the point?

No language is secure, nor should it be outside of syntax. If you don't want a language to do X, then secure X in the operating environment, which is precisely what Microsoft tends to do.

Re:Turn them off by default

[macmouse]

Actually, they are working on adding JavaScript to the Office Suite as the new cross-platform api/language.

http://www.theregister.co.uk/2...

Internet access?

[denbesten]

I have never understood why macros need access to the Internet or to run an external program. Personally, I would rather be prompted if a macros needs to connect outside of the document. It would make more sense to me than telling me that a document is scary simply because I emailed it to my self via gmail,

Re:Internet access?

[herve_masson]

Well, yes. This is called "sandboxing". Microsoft should have made their macro run in a sandbox, with prominent prompts when the marco needs to access the filesystem, send data over the network, run an external program etc etc Anything that is not manipulating data in the current document.

But this is the the way microsoft dioes things, and it sucks hard.

Re: Internet access?

I work at a small business which uses macros to pull live product data from our sites into emails, so sales people can get our rapidly changing and carefully edited data to the customers they know want it in a snap, rather than wasting valuable time or money on some bloated "business intelligence" tool which won't be nearly as effective moving product and maintains the human relationships that make successfully and profitably competing internationally in a "dying" industry without investment possible for us.

I don't like it, but it works.

Re:Internet access?

[nine-times]

I have never understood why macros need access to the Internet or to run an external program.

A lot of these things started back before people expected malicious hackers. Early email systems didn't even have passwords. Even in the 90s, Mac OS and Windows didn't really have the ability to password protect the system. When Microsoft introduced Internet Explorer, Microsoft went through a lot of trouble to make sure that the web browser could access the filesystem and control the system, going as far as having their patching/updating mechanism run from a web page. We're still struggling with the effects of putting encryption on email and on our filesystems.

Basically, computer stuff engineered longer than 15 years ago was aimed at increasing the capabilities, without regard for security. In that context, having omnipotent macros enabled people to do all kinds of crazy things that office applications were not designed to do. Businesses and industries built themselves up around Microsoft Word and Excel documents that acted as full on applications of their own. Now we all see how stupid it is, but yanking that functionality would disrupt a lot of people's work, because they on a collection of Franken-documents that are really complex applications, but nobody has the budget to rebuild them as a proper application.

Re:Internet access?

[Voyager529]

I have never understood why macros need access to the Internet or to run an external program. Personally, I would rather be prompted if a macros needs to connect outside of the document. It would make more sense to me than telling me that a document is scary simply because I emailed it to my self via gmail,

I'll give you two examples of how macros are used in ways that involve external programs.

The first is a program called Worldox. It's used heavily by law firms, and it allows users to "save to Worldox", to which you're saying, "so...they reinvented the file system?" Not exactly. Saving to Worldox allows a document to be assigned to a particular case, with a bunch of metadata pulled from the document, to allow it to be filed along with other documents relevant to the case. It also allows e-mail correspondence to be filed in the same way, and permissions applied to users on (literally) a case-by-case basis.

The second program is called ProSystemFX Engagement. It's used by accounting firms in a way somewhat-similar to git (check document out, modify document, a second user will get told the document is unavailable so there are no save collisions, etc.), but also will provide real-time updates to Excel sheets based on other data that's available to it in the system.

Are Macros the "right" task for the job? Well, maybe not...but in practice, if you're trying to extend the capabilities of Office, it's either macros or add-ins, and one of them is easier to port between versions of office, and both are equally capable of wreaking havoc.

Re:Internet access?

[Windowser]

Basically, computer stuff engineered longer than 15 years ago was aimed at increasing the capabilities, without regard for security.

You are wrong. Unix was engineered more than 40 years ago and it was built with security from the start.

Re:Internet access?

[Just+Some+Guy]

Those prompts could even be as detailed as "this document wants to fetch and execute a program from an Internet site that's not in your company's domain and isn't in your browser history. It's also in North Korea. Do you want to allow this?" Dig and whois are right there, begging to be dug and whois'd.

Re:Internet access?

[nine-times]

I was speaking generally. Of course there were secure computing systems, but most of what you saw wasn't very secure. Even if the OS itself was secure, the apps and services running on them may not have been.

Crap topping on a turd sundae

[rcase5]

This is typical of Microsoft. They introduce "features" which sound really cool, but in actual practice are ill-advised. Then they introduce band-aid solutions that are supposed to make up for these deficiencies, but really don't do anything except get in the way of normal usage, and insult the intelligence of users. The issue with Office macros has been around for about 20 years, and they have been attempting to fix the security holes ever since, to no effect. This is why Windows is such a sieve when it comes to security, because they've designed Windows with the same philosophy as all of their other products, including Office.

Re:Crap topping on a turd sundae

Could their philosophy be "code a feature right and users buy 1 version; code a feature wrong and users buy 1 version for the feature and 5 versions for the bug fixes"?

Re:Crap topping on a turd sundae

[thegarbz]

The issue with Office macros has been around for about 20 years, and they have been attempting to fix the security holes ever since, to no effect.

Critique is child's play, solutions are not.

How would you fix it?

Re:Crap topping on a turd sundae

Switch to Apple or open-source products?

Yay!

[wwphx]

Now we have a reason to upgrade to a new version of Office!

[/sarcasm]

I HATE Office, ever since they switched to that damn ribbon bar. It killed my productivity, I now have to stop and think to remember how to click and waddle through what ribbon to get the options that I needed, where they were a fairly short menu dive before that I could frequently execute without touching the mouse.

Re:Yay!

You know what's safe from MS Office macro malware and doesn't force the stupid ribbon on you? LibreOffice.

Bonus: it's free of charge.

Double bonus: you don't need to install Windows to use it.

Re:Yay!

I HATE Office, ever since they switched to that damn ribbon bar. It killed my productivity, I now have to stop and think to remember how to click and waddle through what ribbon to get the options that I needed, where they were a fairly short menu dive before that I could frequently execute without touching the mouse.

I thought they kept all of the old keyboard shortcuts.

Re:Yay!

For the most part they did, but even if they didn't you can always change any shortcut. People just like complaining because they're not willing to spend a few hours to learning something new to improve their productivity. They'd rather struggle through and use it as some badge of honor that they got by despite the system rather than learn how to actually better themselves. Every study I've read demonstrates the ribbon is more efficient for the average user than the menu system once you learn how to use it. And for power users, you already only use shortcuts right?

The ribbon system has keyboard navigational shortcuts too. Stop complaining and go look them up. Alt + P + AA + G toggles grid lines on/off in Excel and the UI shows you the next keystroke options if you forget or haven't memorized them yet. You can even press Esc to back out one level of your shortcut keys. Every item in the ribbon can be reached though only keyboard use while looking at the GUI. Press Alt and you'll see all the shortcuts pop-up, similar to the letter underlying in the old menus.

Re:Yay!

If you're using the mouse for everything, your productivity already sucks; keyboard shortcuts didn't change (with some very minor exceptions), and my productivity didn't even bat an eye. CTRL+F1 was the first ribbon command I learned.

Just proves what Ranum said

[jbmartin6]

Marcus Ranum said something like (paraphrase) "Security is only as good as it has to be" MS is only addressing this since it has to, just like when it finally disabled macro access to send email and read Outlook contacts after years of email worms. The bad guys will move on to the next poorly secured feature, and when it gets bad enough MS will then fix that. It's the cycle of life.

Ditch them

[DriveDog]

Once upon a time macros were quick, dirty, and useful. They didn't have or need access to anything outside the application. Then MS switched it all to VB crud and they were no longer quick and dirty, and hence rarely useful. Surely someone uses them for good, but I haven't met them.

HP-Labs solved this for XP; 15 years ago

HP-Labs have solved the problem with macro malware 15 years ago.

They create a new temporary user to run it. A powerbox gave the user access and control over files needed.

Why didn't Microsoft follow this path:
https://web.archive.org/web/20...

So, end users still screwed?

[gstoddart]

So if sysadmins can set this via GPO, basically MS is doing their usual bullshit and assuming all people are running Windows in corporate environments to use Office and Exchange?

And how will this help the rest of us? Microsoft hasn't fixed anything, they've allowed corporate environments to turn off some functionality without really addressing the actual underlying problem -- their tendency to run everything silently without stopping to realize how that's a terrible idea.

But, that's OK ... I don't see much value in Office for personal use anyway, and except for the OS, Notepad and Calculator, I don't think I rely on any of Microsoft's stuff for anything anyway.

It just amazes me how much they continue to embody the cluelessness embodies in those "I'm a PC/I'm a Mac" commercials ... keep it up guys, keep believing the world runs on spreadsheets and Exchange.

Re:So, end users still screwed?

[ledow]

GPOs generally do nothing more than apply local polices which generally do nothing more than force certain registry entries.

If a GPO exists, it's because a registry entry that it can tweak exists. Generally, it takes no more than a Google or a dig through an admx file to find out the registry entry that they correspond to.

Slashdot comment system will munge it but open any ADMX and you see this:

ANGLE BRACKET policy name="L_Underlinehyperlinks" class="User" displayName="$(string.L_Underlinehyperlinks)" explainText="$(string.L_UnderlinehyperlinksExplain)" key="Software\Policies\Microsoft\Office\12.0\Access\Internet" valueName="DoNotUnderlineHyperlinks" ANGLE BRACKET

Re:So, end users still screwed?

[Shoten]

GPOs generally do nothing more than apply local polices which generally do nothing more than force certain registry entries.

If a GPO exists, it's because a registry entry that it can tweak exists. Generally, it takes no more than a Google or a dig through an admx file to find out the registry entry that they correspond to.

Slashdot comment system will munge it but open any ADMX and you see this:

ANGLE BRACKET policy name="L_Underlinehyperlinks" class="User" displayName="$(string.L_Underlinehyperlinks)" explainText="$(string.L_UnderlinehyperlinksExplain)" key="Software\Policies\Microsoft\Office\12.0\Access\Internet" valueName="DoNotUnderlineHyperlinks" ANGLE BRACKET

There's an important distinction here, though...it has to do with who applies the local policy that generally does nothing more than force certain registry entries. Those parts of the registry can be locked down such that nothing that runs in the context of the human user at the system can change them, even though the machine account that enforces GPOs can. You can even take this so far as to preserve most administrator-level rights so that the end-user can still run shitty software or install the latest version of the WebEx client when they need to join that conference call, without their (or any malware they open) having edit access to those registry values.

Re:So, end users still screwed?

[gstoddart]

Sure, but my point is for the average person who could get screwed by this vulnerability, this does no good at all.

My mother-in-law isn't going to google for what registry key needs to be put in to solve a problem she doesn't understand.

If the best Microsoft can do to fix this problem is a half-assed fix which is only applicable to corporate controlled networks or advanced users, it completely misses all of those other people who don't have this and are more likely to be vulnerable.

This isn't a solution, it's a cheap work around which benefits a small subset of their user base. And I'm no longer willing to cut Microsoft slack for their shit security they build into products because they don't think stuff through and want to run anything they encounter.

Letting admins turn it off doesn't solve anything, because the people impacted by this won't all have admins.

Saying "it takes no more than a Google or a dig through an admx file" is a bullshit response, because it boils down to forcing every home user to know about this shit and act on it. If Microsoft is going to write the suck, they need to write better fixes than this.

That, or they should say "well, unless you have an admin you should use Google Docs because we're too damned lazy to come up with a real fix". That would at least be honest.

Re:Dear Muslims

Dear Christians,

We are tired of innocent people dying in terror attacks. We were attacked since the Crusades killing millions of people. These attacks are cowardly and evil. They need to stop. Far too many people have died because of violence in the name of God. Christianity is a fairy tale. God isn't real. The Bible is a work of fiction. We are sick and tired of innocent people being killed because they don't believe in a fairy tale. A deity who would condone attacks against innocent people is evil. If God were real, which isn't the case, God would be evil. The only thing missing from this fairy tale is the benevolent protagonist who defeats God and puts an end to this evil.

Those of you who are so-called moderate Christians should be ashamed. You are enablers, tolerating and encouraging these attacks, even without direct participation. Your belief in Christianity assists in the slaughter of innocent people. If you have any decency at all, you will feel extreme guilt in enabling these cowardly terror attacks. You should feel awful about tolerating and enabling the killing of people who have done nothing wrong. Your belief in Christianity is evil. It is time for you to help put an end to terror by renouncing Chrtistianity. If you care at all about doing the right thing, if you have any human decency, you will abandon Christianity immediately.

Thank you,

All Civilized Muslim Citizens

Sign your macros with a code signing certificate

IT Departments that don't require macros to be signed with a code signing certificate are negligent and lazy. If you do this, you won't have any issues. We've doing this since 2001. We don't have any issues.

Should be off by default

[sjbe]

You can disable them via a setting for anything except trusted locations, and manage this setting via GPO also.

So what? They should be off by default and require users to enable them to be utilized. 99% of users will never need macros and the few who do will be able to figure out how to enable them. In the mean time it's a huge security hole which costs millions of dollars to deal with every year. As with many things it should be opt-in not opt-out.

Re:Should be off by default

[jbmartin6]

So when you said " I almost never use macros so I'd be happy to have a way to disable them quasi-permanently." I took that to mean you were not aware the option existed. Apologies for misunderstanding.

Clippy the animated Office assistant was last seen

[JoeyRox]

at an Office Depot, threatening to throw himself into a paper shredder. He's taking the news very badly.

One step short...

[Shoten]

Microsoft needs to take this one step farther. It would be extremely easy to create a macro that would write a file locally (for example, in JavaScript) that would, in turn, retrieve data from the Internet. So simply to keep the macro from accessing the Internet is not quite enough.

Re:Clippy the animated Office assistant was last s

[Shoten]

at an Office Depot, threatening to throw himself into a paper shredder. He's taking the news very badly.

And standing in front of him was a long-time Office user, getting his revenge:

"I see you're trying to kill yourself. Would you like help with that?"

Office Edsissent

[orledrat]

Macros are dangerous.

Or worse..

Considered Harmful.

Wouldn't it be something if Microsoft made a Clippy in the form of a small Dijkstra depiction? They could use this Office Edsissent to help the user pick the shortest path when wading through widgets, ribbons, and wizards. And it would readily provide basic Clippy functionality, snidely deriding the user when it finds any error in correctness.

Would be enough to make me leave vim.

__

> "Macro malware" as this category is known, is the preferred method of distribution for most malware these days, especially ransomware.

Citation, please? Because I think more likely it's actually 3rd-party advertisements.

Make them difficult to turn on

[sjbe]

I took that to mean you were not aware the option existed. Apologies for misunderstanding.

No worries. Perhaps I was unclear. I am aware that there are ways to limit their use but they are needlessly arcane and should be enabled by default. Basically I'm trying to say that it should be relatively difficult to unintentionally turn on the ability to run macros. Most people (self included) rarely need the feature and it's nothing but a big security hole for them.

Re:Make them difficult to turn on

[jbmartin6]

Agree. I mentioned elsewhere it might make sense for MS to disable macros by default except maybe in enterprise editions. Or maybe even better, simply leave it to enterprise sysadmins to enable via GPO.

Can't tell what this is actually about.

[jim.shilliday2271]

Can anyone clarify an apparent ambiguity (or error?) in the article referenced by the link in the original post? The article describes preventing Word macros from accessing Internet content, but the group policy shown in the screenshot is "Block macros from running in Office files from the Internet." That's not the same thing at all. Microsoft's suggestion to work around issues with the policy, quoted in the article, is to "ensure the file’s original location is considered trusted within the organization." That doesn't have anything to do with whether or not the macro accesses Internet content. Thanks.

Microsoft Office Ribbon

The ribbon was 10 years ago. Get over it.

The keyboard shortcuts for nearly all of the common operations did not change between versions. Control-S for save, Control-E for center, etc.

A fix for the 1%

[Tony+Isaac]

The 1% of people who actually have or need Office 2016, that is!

My copy of Office 2007 is still doing fine, and honestly, I liked 2003 better.