After Decades of Abuse, Microsoft Adds an Anti-Macro-Malware Feature To Office (softpedia.com)

← Back to Stories (view on slashdot.org)

After Decades of Abuse, Microsoft Adds an Anti-Macro-Malware Feature To Office (softpedia.com)

Posted by timothy on Tuesday March 22, 2016 @10:32PM from the fond-memories-of-weird-greenpeace-macro dept.

An anonymous reader writes: Microsoft is finally addressing the elephant in the room in terms of security for Office users and has announced a new feature in the Office 2016 suite that will make it harder for attackers to exploit macro malware. Sysadmins can now use group policies to disable the execution of macro scripts that retrieve content off the Internet, a tactic used by malware developers to trick users into allowing the download & automatic installation of malware on their PCs. "Macro malware" as this category is known, is the preferred method of distribution for most malware these days, especially ransomware.

20 of 119 comments (clear)

Min score:

Reason:

Sort:

Sadly needed by phishybongwaters · 2016-03-22 22:34 · Score: 2, Insightful

It's sad that we actually need them to provide this, but users are idiots. Users click buttons. Users click "agree". Users click "run macro" users ignore "this could be dangerous". Lets go a step further and just straight up remove macros completely. There is no need for macro support, no one actually uses these features other than malware. Get rid of it.
1. Re:Sadly needed by Coisiche · 2016-03-22 22:48 · Score: 3, Insightful
  
  There is no need for macro support, no one actually uses these features
  I've certainly never required one for Word but there have been several occasions where something I wanted to do in Excel could only be achieved by writing a macro. Oh sure, I perhaps *could* have managed without resorting to a macro but one instance I'd have probably still have been working on the task several years later... on the other hand maybe I wouldn't have been made redundant from that job if I hadn't tried to be efficient.
2. Re:Sadly needed by Z00L00K · 2016-03-22 23:09 · Score: 5, Insightful
  
  And Microsoft has also made this possible by hiding the extension of files in the UIs making it a lot easier for evil people to trick stupid people into clicking on files that they think are images but actually are an executable.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
3. Re:Sadly needed by mrprogrammerman · 2016-03-23 00:23 · Score: 2
  
  The problem is if they are stupid, the extension showing probably wouldn't make a difference. I think technical people are more annoyed by that setting because they realize that even though something is an image it could be an executable or something else.
4. Re:Sadly needed by Ed+Avis · 2016-03-23 02:50 · Score: 2
  
  If Microsoft bothered to distinguish between 'opening' a file and 'running' a program - and double-click would only open, not run - then at least part of the problem would be fixed. But since the earliest days of Windows, the same verb 'Open' has been used for both operations. We can't blame users if they have been trained that double-clicking is the standard way to open a file (surely a safe operation in any sanely written system) but then the OS turns it into the much more dangerous operation of running a program.
  
  --
  -- Ed Avis ed@membled.com
5. Re:Sadly needed by hoggoth · 2016-03-23 06:14 · Score: 2
  
  Prepare for it to get a lot worse when we all have Turing-complete toothbrushes and our heart pace-makers can download ringtone-beat-patterns!
  
  --
  - For the complete works of Shakespeare: cat /dev/random (may take some time)
And, of course. . . . by Salgak1 · 2016-03-22 22:41 · Score: 3, Insightful

. . . no fixing extant versions of Office out there, and managing it by **GROUP POLICY**?? Really ? I guess that either:
(1) Home and student users are immune to macro viruses, or
(2) Microsoft is only worried about the security of its' corporate clients. . .
1. Re:And, of course. . . . by kaur · 2016-03-22 22:53 · Score: 2, Insightful
  
  Dear Microsoft.
  Please give us an example where a home user would benefit from the capability of Office documents to load anything from the web.
  Does this benefit outweight the risk it creates?
  How?
  
  In other words -
  DROP THIS BLOAT from your software, for all and for good.
  With the exception of corporate users who, in a strictly controlled environment, might use it - GPO allowing.
2. Re:And, of course. . . . by craigminah · 2016-03-22 22:56 · Score: 2
  
  I use it to get stock quotes from Yahoo Finance and other sites.
3. Re:And, of course. . . . by AmiMoJo · 2016-03-23 00:18 · Score: 5, Informative
  
  The summary is full of shit. Macros have been disabled by default for a decade now. Seriously, Office 2007 on my work PC requires me to manually enable macros every time I open a document. That's the default setting.
  The only change seems to be that this policy can be altered and enforced by Group Policy.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
4. Re:And, of course. . . . by R.Mo_Robert · 2016-03-23 02:12 · Score: 2
  
  The summary is full of shit. Macros have been disabled by default for a decade now. Seriously, Office 2007 on my work PC requires me to manually enable macros every time I open a document. That's the default setting.
  The only change seems to be that this policy can be altered and enforced by Group Policy.
  This is about blocking macros that connect to the Internet, not macros themselves. You are correct that macros have been disabled by default for documents that come from locations that are not marked in Office as "trusted," with a notification that allows you to enable them if desired. This is different, as it affects only a subset of macros and does not allow the user to un-block them. (Also, being able to control macro settings via Group Policy is not new.)
  This sounds like a good move to me. I can't recall ever seeing a macro that had a legitimate need to connect to the Internet.
  
  --
  R.Mo
Exempt Safe Macros by Cacadril · 2016-03-22 23:07 · Score: 3, Interesting

I always wondered why there is no distinction between macros that only modify the document in which they are embedded, and all other macros. Say, for instance a letter template that, upon instantiation, sets today's date, then removes all macros from the document.

--
There is no substitute for common sense. Especially, no body of rules will do.
Software industry is a joke by Solandri · 2016-03-22 23:23 · Score: 5, Insightful

Manufacturing industry: Government says "Your product is dangerous. Come up with a fix and issue a recall at your expense to implement your fix in every product out there that you sold."

Toy industry: Government says "Your product is dangerous. Pull it off the market. Have the people who bought it return it, and give them their money back."

Software industry: "Our product is dangerous. I know! Let's fix it, but only put the fix in our latest version to force people to upgrade and pay us more money." Government says "Great! We'd like to buy a million copies of the new version."

Given Microsoft's history with free security updates, I thought they understood the difference between a bug fix and a feature upgrade. But between this and rolling out unwanted adware and spyware as "important updates" I guess not.
1. Re:Software industry is a joke by rcase5 · 2016-03-23 00:13 · Score: 3, Insightful
  
  The government requires auto manufacturers to have safety features that protect people in the event of a collision. A collision isn't considered "normal use", but they are required to safeguard against injury in the event of a collision. The spate of recalls due to defective airbags from Takata can be an example of a product feature being fixed that is supposed to deploy outside of normal use. Whether or not the collision is malicious is besides the point.
Turn them off by default by sjbe · 2016-03-22 23:49 · Score: 5, Informative

It's sad that we actually need them to provide this, but users are idiots. Users click buttons. Users click "agree". Users click "run macro" users ignore "this could be dangerous".
All true but that also indicates that the system is stupidly designed. Software companies have conditioned them to ignore warning messages and EULAs and pop up buttons. Users are concerned with getting their task done and asking them to worry about the security of the system is dooming the system to failure right from the start. Any developer that thinks my technologically naive mother is going to be able to deal with macro malware is an idiot.

There is no need for macro support, no one actually uses these features other than malware.
That's straight up false. There are some groups that HEAVILY use macros. The financial industry in particular uses the crap out of them in Excel. (save the snark - it works for them) What should probably happen is that user defined macros should be disabled by default for most users. And no they should be possible to enable via a pop up. I almost never use macros so I'd be happy to have a way to disable them quasi-permanently. They're little more than a malware vector for me but that doesn't mean they aren't useful to other people.
1. Re:Turn them off by default by azcoyote · 2016-03-23 01:00 · Score: 4, Insightful
  
  Yeah, as a professor I use macros a lot for common tasks in writing papers and for managing my gradebook. The main problem with macros is that they are so stupidly designed and VBA is such a stupid, inconsistent, and insecure language. Macros are already disabled by default until you enable them via a popup, but there is no distinction between harmless operations and dangerous ones that could compromise a user's system. I think Visual Basic needs to be replaced with another language, and macro security needs to be redesigned from the ground up. But Microsoft never does anything so sensible.
  
  --
  Incipiamus, fratres, servire Domino Deo, quia hucusque vix vel parum in nullo profecimus.
Internet access? by denbesten · 2016-03-23 00:11 · Score: 4, Insightful

I have never understood why macros need access to the Internet or to run an external program. Personally, I would rather be prompted if a macros needs to connect outside of the document. It would make more sense to me than telling me that a document is scary simply because I emailed it to my self via gmail,
1. Re:Internet access? by herve_masson · 2016-03-23 01:07 · Score: 3, Interesting
  
  Well, yes. This is called "sandboxing". Microsoft should have made their macro run in a sandbox, with prominent prompts when the marco needs to access the filesystem, send data over the network, run an external program etc etc Anything that is not manipulating data in the current document.
  But this is the the way microsoft dioes things, and it sucks hard.
Crap topping on a turd sundae by rcase5 · 2016-03-23 00:26 · Score: 3, Insightful

This is typical of Microsoft. They introduce "features" which sound really cool, but in actual practice are ill-advised. Then they introduce band-aid solutions that are supposed to make up for these deficiencies, but really don't do anything except get in the way of normal usage, and insult the intelligence of users. The issue with Office macros has been around for about 20 years, and they have been attempting to fix the security holes ever since, to no effect. This is why Windows is such a sieve when it comes to security, because they've designed Windows with the same philosophy as all of their other products, including Office.
Yay! by wwphx · 2016-03-23 00:30 · Score: 2

Now we have a reason to upgrade to a new version of Office!

[/sarcasm]

I HATE Office, ever since they switched to that damn ribbon bar. It killed my productivity, I now have to stop and think to remember how to click and waddle through what ribbon to get the options that I needed, where they were a fairly short menu dive before that I could frequently execute without touching the mouse.

--
When you sympathize with stupidity, you start thinking like an idiot.