How a Bad UI Decision From Microsoft Helped Macro Malware Make a Comeback

An anonymous reader writes: Macro malware is a term to describe malware that relies on automatically executed macro scripts inside Office documents. This type of malware was very popular in the '90s, but when Microsoft launched Office 97, it added a popup before opening Office files that warned users about the dangers of enabling macros. Microsoft's decision had a huge impact on macro malware, and by the 2000s, this type of malware went almost extinct. Lo and behold, some smart Microsoft UI designers start thinking that users might get popup fatigue, so in Office 2007, Microsoft makes the monumental mistake of removing the very informative popup, and transforming the warning into a notification bar at the top of the document with only six words warning users about macros. Things get worse in Office 2010, when Microsoft even adds a shiny button that reads "Enable Content," ruining everything it had done in the past 10-15 years, and allowing macro malware to become the dangerous threat it is today. The U.S.-CERT team issued an official threat yesterday warning organizations about the resurging threat of malware that uses macro scripts in Office documents.

Re:Good UI decisions?

[fred911]

allowing a pipe as in:

Format C: | Y

Car Anology

[Required+Snark]

If Windows was a car and Microsoft was the driver, it would be like someone who is senile and keeps running into the same tree over and over and over again. In both the real world and the analogy they always loose their memory of past failures, and the result is inevitable.

This is rooted in Microsoft culture. Security is never a primary concern. Imagine someone with a whiny voice saying "It's too hard, I don't wanna do it, it makes things no fun" etc, etc. From the outside that seems like how they behave.

And there is the little matter of loss of institutional memory, which is the senility part. That is because they consciously exclude people of long experience. They don't hire them, and if anyone is too long on the job they get flushed out. It's cheaper and keeps the workforce docile. But the long term result is making the same mistake over and over again. Not that Microsoft is a whole lot worse then any other big software organization, but they appear to do it even more then other big outfits.

Expect them to resurrect the BSOD any day now...

Re:Car Anology

[Ol+Olsoc]

Expect them to resurrect the BSOD any day now...

It never went away - still an integral part of the Windows experience. http://answers.microsoft.com/e...

http://answers.microsoft.com/e...

http://www.computerworld.com/a...

W10, 8.1, and 7. BSOD - suposedly long gone.

I've had zealots declare me a liar while cleaning "There is no BSOD any more!" with great conviction. It stil happens, even as documented on Microsoft pages.

Watch me get marked as a troll for pointing out the truth.

Re:Car Anology

[gustygolf]

It's certainly not like Windows 95, 98, Mistake Edition, or 2000 where they were an integral part of the experience.

Win2k does not belong in that list.

Re:Stupid people

[Darinbob]

Because the average user doesn't know what "Run Content" means. Meanwhile they're being told to never disable scripts, never enable adblock, always accept all defaults, and Microsoft is never wrong.

Go back to "Warning", not "Run". Allow disable

[raymorris]

> and what do you propose as solution?
> Removing macros? Further dumbing down systems ?

The problem is that Microsoft dumbed it too much. They have one button where they should have two. The ONLY option is the new UI is "Run Content". There should be a "No Thanks" button.

As explained in the fine summary, the recommendation is something like the old warning, which actually worked, or least an option labeled "dismiss", "cancel", or "disable macros". Here's one MS UI that worked:

http://i1-news.softpedia-stati...

Microsoft traded that for a single button with the instruction "Enable Content". There is no more "disable macros" option anymore. Anyone who isn't sure what they should do will often click the one and only option Microsoft provides: run the macros. There should be a button to dismiss the message without running macros.

Re:Go back to "Warning", not "Run". Allow disable

[Firethorn]

Microsoft traded that for a single button with the instruction "Enable Content". There is no more "disable macros" option anymore. Anyone who isn't sure what they should do will often click the one and only option Microsoft provides: run the macros. There should be a button to dismiss the message without running macros.

I agree, but as a security guy in a government position, one thing I learned is that if you disable *everything* by default and require them to manually click to enable, such that they end up doing so every day for legitimate work tasks, they get used to do so and will click even when they shouldn't. Same deal with barraging them with warning popups full of legalese. They stop reading pop-ups.

As such, and while I understand it might be more complicated to implement, my suggest would be to sandbox everything. We're dealing with legacy code here, so here's what I'd do:
1. Identify problematic commands and structure. Anything that modifies files other than itself, anything that modifies the macro itself, system or application settings, etc... Anything that activates the email or print functionality.

So an application that only changes itself, like 99% of the stuff my users use, no warning, it's not a problem.
For the rest, well, code signature. It pops up who made the code, that they have a valid code signing certificate signed by X organization, and they get to decide.

So, to use an example I saw, an application that analyzes how changing gasoline prices will affect your budget that pops up a warning that it want to modify system files(danger danger!) might actually trip the security minded part of their brain, because it shouldn't need to.

Fewer warnings = less likely to ignore them.

Re: Stupid people

The stock symbol is a convenient short identifier.

MS deserve the moniker M$ due to patterns of behaviour that indicate they have no integrity. Some people don't understand that organisations have a persistent culture, some are simply stupid, some are going to switch off no matter what you do, and your managers don't bother reading your emails in full.

That's life.

It's also not particularly interesting or informative to keep pointing it out as if you have some kind of special insight, unless you want everyone to "join" them in a collaborative love-in of business bullshit and become part of the problem. You cannot change all people like that, and frankly fuck them if the alternative is to be co-opted into the church of the subpar.

Re: Stupid people - Mandatory Access Control

[Pentium100]

Linux has the same problem.

A limited user (even without sudo rights) launches a buggy application and opens an infected document. The virus can then proceed to encrypt all the files that the user can modify.

The system files will stay intact.
The documents of the user will get encrypted.

The user usually cares about being able to access his documents, so the damage is done even without root access. If this happens on a single user desktop, then the damage is the same as if the virus had root access. In both cases you have to restore the PC from backups (if you have them).

The worst offense...

...was when they decided that hiding the extension was a great idea and made it default in XP.
trojan.jpg.zip anyone?

Re:Really?

[jaseuk]

Yes - but this appears even on files without any Macro content - just because the file came by e-mail. So files from internal recipients in a DOMAIN without Macros's have the SAME warning as an internet file with a Macro virus.

This is the stupidity.

Jason.

Re: Stupid people

[lucm]

Yeah Stuxnet sucks. It totally screwed up my nuclear program infrastructure. That's the price I paid for letting the trial McAfee expire on my new cheap Asus laptop.