After Decades of Abuse, Microsoft Adds an Anti-Macro-Malware Feature To Office

An anonymous reader writes: Microsoft is finally addressing the elephant in the room in terms of security for Office users and has announced a new feature in the Office 2016 suite that will make it harder for attackers to exploit macro malware. Sysadmins can now use group policies to disable the execution of macro scripts that retrieve content off the Internet, a tactic used by malware developers to trick users into allowing the download & automatic installation of malware on their PCs. "Macro malware" as this category is known, is the preferred method of distribution for most malware these days, especially ransomware.

Re:Sadly needed

[Z00L00K]

And Microsoft has also made this possible by hiding the extension of files in the UIs making it a lot easier for evil people to trick stupid people into clicking on files that they think are images but actually are an executable.

Software industry is a joke

[Solandri]

Manufacturing industry: Government says "Your product is dangerous. Come up with a fix and issue a recall at your expense to implement your fix in every product out there that you sold."

Toy industry: Government says "Your product is dangerous. Pull it off the market. Have the people who bought it return it, and give them their money back."

Software industry: "Our product is dangerous. I know! Let's fix it, but only put the fix in our latest version to force people to upgrade and pay us more money." Government says "Great! We'd like to buy a million copies of the new version."

Given Microsoft's history with free security updates, I thought they understood the difference between a bug fix and a feature upgrade. But between this and rolling out unwanted adware and spyware as "important updates" I guess not.

Internet access?

[denbesten]

I have never understood why macros need access to the Internet or to run an external program. Personally, I would rather be prompted if a macros needs to connect outside of the document. It would make more sense to me than telling me that a document is scary simply because I emailed it to my self via gmail,

Re:Turn them off by default

[azcoyote]

Yeah, as a professor I use macros a lot for common tasks in writing papers and for managing my gradebook. The main problem with macros is that they are so stupidly designed and VBA is such a stupid, inconsistent, and insecure language. Macros are already disabled by default until you enable them via a popup, but there is no distinction between harmless operations and dangerous ones that could compromise a user's system. I think Visual Basic needs to be replaced with another language, and macro security needs to be redesigned from the ground up. But Microsoft never does anything so sensible.