Slashdot Mirror
After Decades of Abuse, Microsoft Adds an Anti-Macro-Malware Feature To Office (softpedia.com)
An anonymous reader writes: Microsoft is finally addressing the elephant in the room in terms of security for Office users and has announced a new feature in the Office 2016 suite that will make it harder for attackers to exploit macro malware. Sysadmins can now use group policies to disable the execution of macro scripts that retrieve content off the Internet, a tactic used by malware developers to trick users into allowing the download & automatic installation of malware on their PCs. "Macro malware" as this category is known, is the preferred method of distribution for most malware these days, especially ransomware.
And Microsoft has also made this possible by hiding the extension of files in the UIs making it a lot easier for evil people to trick stupid people into clicking on files that they think are images but actually are an executable.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Manufacturing industry: Government says "Your product is dangerous. Come up with a fix and issue a recall at your expense to implement your fix in every product out there that you sold."
Toy industry: Government says "Your product is dangerous. Pull it off the market. Have the people who bought it return it, and give them their money back."
Software industry: "Our product is dangerous. I know! Let's fix it, but only put the fix in our latest version to force people to upgrade and pay us more money." Government says "Great! We'd like to buy a million copies of the new version."
Given Microsoft's history with free security updates, I thought they understood the difference between a bug fix and a feature upgrade. But between this and rolling out unwanted adware and spyware as "important updates" I guess not.
It's sad that we actually need them to provide this, but users are idiots. Users click buttons. Users click "agree". Users click "run macro" users ignore "this could be dangerous".
All true but that also indicates that the system is stupidly designed. Software companies have conditioned them to ignore warning messages and EULAs and pop up buttons. Users are concerned with getting their task done and asking them to worry about the security of the system is dooming the system to failure right from the start. Any developer that thinks my technologically naive mother is going to be able to deal with macro malware is an idiot.
There is no need for macro support, no one actually uses these features other than malware.
That's straight up false. There are some groups that HEAVILY use macros. The financial industry in particular uses the crap out of them in Excel. (save the snark - it works for them) What should probably happen is that user defined macros should be disabled by default for most users. And no they should be possible to enable via a pop up. I almost never use macros so I'd be happy to have a way to disable them quasi-permanently. They're little more than a malware vector for me but that doesn't mean they aren't useful to other people.
I have never understood why macros need access to the Internet or to run an external program. Personally, I would rather be prompted if a macros needs to connect outside of the document. It would make more sense to me than telling me that a document is scary simply because I emailed it to my self via gmail,
The summary is full of shit. Macros have been disabled by default for a decade now. Seriously, Office 2007 on my work PC requires me to manually enable macros every time I open a document. That's the default setting.
The only change seems to be that this policy can be altered and enforced by Group Policy.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC