Microsoft plans to kill malware delivery via Office macros

[Sant_HH]

Summary

 

 Starting in April Microsoft plans to make enabling VBA Office macros tougher by preventing users to enable than in 1 click. A message bar reading "Security Risk: Microsoft has blocked macros from running because the source of this file is untrusted" next to a Learn More button which links to a support page which explains the security risk of bad actors using macros, ways to prevent phishing and malware, and instructions for enabling the macros. Killing a popular distribution method for malware. UK cybersecurity expert Kevin Beaumont tweeted that "this is potentially a game changer for the cybersecurity industry, and, more importantly customers," as macros account for about 25 percent of all ransomware entry

 

Quotes

Quote

Microsoft announced today that it will make it difficult to enable VBA macros downloaded from the Internet in several Microsoft Office apps starting in early April, effectively killing a popular distribution method for malware.

Using VBA macros embedded in malicious Office documents is a very popular method to push a wide range of malware families in phishing attacks, including Emotet, TrickBot, Qbot, and Dridex.

"This change only affects Office on devices running Windows and only affects the following applications: Access, Excel, PowerPoint, Visio, and Word," the Microsoft Office Product Group said today.

 

"The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022."

After this change rolls out, Office users will no longer be able to enable macros with a click of a button after they're automatically blocked.

This will automatically thwart attacks that deliver malware on home and enterprise networks via malicious Office docs, including various information-stealing trojans and malicious tools used by ransomware gangs.

Now, until the new autoblock defaults go into effect, when Office opens a document, it checks if it is tagged with a "Mark of the Web" (MoTW), which means it was downloaded from the Internet.

If this tag is found, Microsoft opens the document in read-only mode, blocking the exploit unless users click on the 'Enable Editing' or 'Enable Content' button shown at the top of the document.

By removing these buttons, which allow users to remove the MoTW, and blocking macros from untrusted sources by default, most malicious documents will no longer be executed, stopping malware attacks abusing this weakness in their tracks.

 

This update will also be pushed to Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013 users at a future date.

 

"We will continue to adjust our user experience for macros, as we’ve done here, to make it more difficult to trick users into running malicious code via social engineering while maintaining a path for legitimate macros to be enabled where appropriate via Trusted Publishers and/or Trusted Locations," said Tristan Davis, a Partner Group Program Manager for Microsoft's Office Platform.

 

After the Office update rolls out and blocks one-click enabling macros in documents downloaded from the Internet, you will still be able to enable them by going into the documents' properties and checking the "Unlock" button on the bottom right.

My thoughts

 Yay! I guess? Even though the new way of enabling it isn't too complicated, it is definitely better than a single click as I've seen users that just click "Enable content" with zero thought about it. No idea what problems this might cause though

 

Sources

Bleeping Computer

Microsoft Support site 

Zdnet

[Lightwreather]

It's about time....

[leadeater]

Can we not just get rid of Office VBA Macros all together and shove in the legacy basket already? Why new versions of Office continue to support this is beyond me, run old versions while you have to and migrate away from VBA Macros.

[HarryNyquist]

1 minute ago, leadeater said:

Can we not just get rid of Office VBA Macros all together and shove in the legacy basket already? Why new versions of Office continue to support this is beyond me, run old versions while you have to and migrate away from VBA Macros.

If you ever ask this question, the answer 99% of the time is for backward compatibility for enterprise users. I guarantee you; companies exist that have mission-critical processes run via a VBA macro written in Excel '97 that absolutely must continue working in Excel 365, lest they go out of business.

[leadeater]

11 minutes ago, HarryNyquist said:

If you ever ask this question, the answer 99% of the time is for backward compatibility for enterprise users. I guarantee you; companies exist that have mission-critical processes run via a VBA macro written in Excel '97 that absolutely must continue working in Excel 365, lest they go out of business.

Yes but you can lock them in to Office 2021 maximum and then wave goodbye and say good luck. Things actually happen when the issue is forced, literally speaking from experience.

 

While it's still supported it won't change, when it's not supported it will change.

 

Edit:

Also I'm damn sure they are being used here, has to be at least somewhere. Like Server 2003, Server 2008 32bit etc these go away when you make a policy decision to not allow to run them anymore then suddenly the owners of the applications and service start to actually care and do something about it. And when they complain about why it's suddenly an issue now the response is no we told you it was an issue 10 years ago, 5 years ago, 4/3/2/1, and now the final bell is up.

[Sauron]

11 minutes ago, HarryNyquist said:

If you ever ask this question, the answer 99% of the time is for backward compatibility for enterprise users. I guarantee you; companies exist that have mission-critical processes run via a VBA macro written in Excel '97 that absolutely must continue working in Excel 365, lest they go out of business.

If it's that critical I think they can afford updating their software once every 30 years... they just don't because they don't need to so long as MS allows it.

[Avocado Diaboli]

18 minutes ago, leadeater said:

Can we not just get rid of Office VBA Macros all together and shove in the legacy basket already? Why new versions of Office continue to support this is beyond me, run old versions while you have to and migrate away from VBA Macros.

And what would be the proper replacement for a lot of the automation that's possible with VBA within Office? I personally really like the ease of use it allows for creating simple solutions to repetitive tasks that, while not mission critical that they absolutely have to run on VBA, makes life easier and cheaper than to have to go out and find a specific piece of software that does exactly what I want with the workflow I intend.

[Liltrekkie]

3 minutes ago, Avocado Diaboli said:

And what would be the proper replacement for a lot of the automation that's possible with VBA within Office? I personally really like the ease of use it allows for creating simple solutions to repetitive tasks that, while not mission critical that they absolutely have to run on VBA, makes life easier and cheaper than to have to go out and find a specific piece of software that does exactly what I want with the workflow I intend.

Office.js is literally the replacement for VBA. It can do everything VBA can. While its not exactly the easiest thing to get started with, it's easy to learn if you choose to. Plus, synchronous tasks are nice. 

[Avocado Diaboli]

3 minutes ago, Liltrekkie said:

Office.js is literally the replacement for VBA. It can do everything VBA can. While its not exactly the easiest thing to get started with, it's easy to learn if you choose to. Plus, synchronous tasks are nice. 

It's not a default component of Office, so have fun trying to convince your IT department that they should enable the add in you wrote. Meanwhile, as a lowly office worker drone, I get to program my own solutions for stuff that's too small in scope to really deserve a bespoke application on its own (again, try convincing your IT department to buy software just for you) while still giving me the freedom and flexibility to come up with automations that end up speeding up my work by an order of magnitude.

[leadeater]

1 hour ago, Avocado Diaboli said:

And what would be the proper replacement for a lot of the automation that's possible with VBA within Office? I personally really like the ease of use it allows for creating simple solutions to repetitive tasks that, while not mission critical that they absolutely have to run on VBA, makes life easier and cheaper than to have to go out and find a specific piece of software that does exactly what I want with the workflow I intend.

Office Scripts is replacing Office VBA, is certainly not ready yet but it is there to be used for Excel at least

https://docs.microsoft.com/en-us/office/dev/scripts/resources/vba-differences

 

Also a lot of highly questionable uses are done with Office VBA scripts, most of which there is already a solution for or an easy one to implement if you go to IT with a clear requirement rather than going to them with an already figured out "solution". I can't tell you how many times I've had to reverse back from a request to get to the root of the need or requirement because someone believed they have the answer or the best answer already so is not forthcoming of what the actual situation is.

 

Example: I have this wonderful solution the gives really nice reports, I built it in Microsoft Access and I connected it to the SQL backend. However other people are not able to run it, please fix this.

 

Actual Solution: Creating the reports in Microsoft SQL Server Reporting Services and deploy to a proper reports server and use data connectors that only have access to views not tables and utilizes a restricted service account.

 

Now you may have some more actually valid usage for VBA macros in your work however that's not a reason for them to stay forever and that doesn't prevent you from using a supported version of Microsoft Office that will have that status for at least a minimum of 5 years and likely up to 10 years if that is the VBA cutoff point, extended support will certainly be a thing for that last version.

 

In any case the replacement is coming, it's just not here yet. Would have been here sooner but I doubt it's been much of a high priority for the Microsoft Office team.

[manikyath]

1 hour ago, Sauron said:

If it's that critical I think they can afford updating their software once every 30 years... they just don't because they don't need to so long as MS allows it.

the funny thing about that is, the more critical something is, the less inclined the engineers usually are to change anything about it. I can already tell you (without going into any detail, because reasons) that this appears to be especially true in the medical sector, because in a lot of cases you literally cannot be down for migrations for more than a matter of hours, and if there's the slightest hint of troubles it's going back to old prod version and reschedule the migration.

[Paul Thexton]

2 hours ago, leadeater said:

Can we not just get rid of Office VBA Macros all together and shove in the legacy basket already? Why new versions of Office continue to support this is beyond me, run old versions while you have to and migrate away from VBA Macros.

I've never understood why those Macros were able to break out of the sandbox of the active document anyway. Or why it's been allowed to remain a problem for over a decade (probably longer)

[jagdtigger]

2 hours ago, leadeater said:

Can we not just get rid of Office VBA Macros all together and shove in the legacy basket already?

Not really, to put it mildly business customers would be pretty pissed. Every single time i get some office file from my workplace(not working in an office but sometimes have to fill out stuff for HR) is infested with them.....

Edited February 8, 2022 by jagdtigger

[Sauron]

5 minutes ago, manikyath said:

the funny thing about that is, the more critical something is, the less inclined the engineers usually are to change anything about it. I can already tell you (without going into any detail, because reasons) that this appears to be especially true in the medical sector, because in a lot of cases you literally cannot be down for migrations for more than a matter of hours, and if there's the slightest hint of troubles it's going back to old prod version and reschedule the migration.

Oh, of course it's expensive and difficult, no question about it - but eventually it needs to be done. If you have 30 year old equipment, especially medical equipment, you shouldn't be running the risk of it breaking down on you. If you prepare you may be able to do a migration in a couple of days, if you don't it might take months before you get a suitable replacement.

[Paul Thexton]

"This must always work and cannot ever change" is a very real attitude in a lot of business sectors. These demands come only from organisations that are absolutely not willing to spend more than a penny than they feel they need to on maintenance and upgrades.

 

Never forget the NHS will have had it's Windows XP issue as a direct result of an unsustainably risk-averse attitude to keeping infrastructure patched, up to date, and replaced once so old no replacements would be sourceable.

[manikyath]

6 minutes ago, Sauron said:

Oh, of course it's expensive and difficult, no question about it - but eventually it needs to be done. If you have 30 year old equipment, especially medical equipment, you shouldn't be running the risk of it breaking down on you. If you prepare you may be able to do a migration in a couple of days, if you don't it might take months before you get a suitable replacement.

it's actually the other way around, very often:

 

they buy a machine that'll last 30 years, because it's built to last 100 years if it needs to.

then that comes with a computer and some software... aaand good luck with that.

sure it'll work with the more modern software, but that's A LOT of paperwork to do each update, so you sort of either dont, or only do so VERY selectively.

[Paul Thexton]

10 minutes ago, manikyath said:

then that comes with a computer and some software... aaand good luck with that

This is why software escrow services exist. If the vendor ceases to exist the customer invokes the escrow agreement and gets given the source code & build instructions so that they can (either in house or via a contractor) still maintain the software which is critical to their business.

[manikyath]

3 minutes ago, Paul Thexton said:

This is why software escrow services exist. If the vendor ceases to exist the customer invokes the escrow agreement and gets given the source code & build instructions so that they can (either in house or via a contractor) still maintain the software which is critical to their business.

the supplier going belly up isnt the problem.

the problem is the supplier isnt gonna validate software updates in your setup, at least not on their own. so even if cost isnt a consideration (welcome medical sector, it isnt xD) the time of your otherwise already very hard at work engineers and scientists is.

 

to reiterate, the problem isnt the software, the hardware, the specific environment, or anything in between. the problem is that highly critical stuff is usually also under very strong validation requirements. and has to be validated in the exact scenario it will be used in.

it can actually happen that even if you try to stay up to speed with the most recent builds, you're getting stuck on a three year old build of something, just because your exact workflow breaks due to a very minor issue in an update, and you *need* to find a way around it while still in full production.

 

with some irony back to the main topic... excel VBA is actually fairly resiliant in this issue.. office can update all it wants, its extremely rare for something to change in the way VBA operates to actually cause issues, and even more exceptionally rare for it to be more than just a quick fix because a method changed a bit.

VBA's weakness is in how powerful it is, and how "dumb" end users are. essentially VBA can be used to deploy automated social engineering attacks, in the same way as it can automate legitimate workflows.

[leadeater]

1 minute ago, James Evens said:

There are entire departments running on excel spreadsheets with macros ...

Office Scripts, time to start migrating 

 

If it were any other Office application then it would be a lot harder since only Excel is supported right now, but since you said Excel that box is ticked 

 

Also really that's why I said just keeping running the last supported version of Office, it'll be supported for damn ages just because of this. But it'll end just like VBA macros should.

[leadeater]

2 minutes ago, manikyath said:

it can actually happen that even if you try to stay up to speed with the most recent builds, you're getting stuck on a three year old build of something, just because your exact workflow breaks due to a very minor issue in an update, and you *need* to find a way around it while still in full production.

Don't forget that the most recent builds are almost always utilizing old frameworks, or old versions of new frameworks, and often utilize legacy Windows features because they are proven and validated, even after Microsoft has officially given them legacy status. The amount of medical software that uses the oldest possible way to print from within Windows is well, hilarious and also sad.

[Paul Thexton]

1 minute ago, manikyath said:

the problem is the supplier isnt gonna validate software updates in your setup

For me this comes back to software escrow. If I buy an expensive appliance (like, millions of dollarydoos) that requires a PC and some software to drive it, then I want to know that there is a long term roadmap for ensuring compatibility with base operating system security patches and newer releases.  If the vendor fails to deliver on promises, well that's the kind of thing that's covered in your three-party escrow agreement (or ought to be).

 

Anybody who fails to validate the vendor plans to do this, is failing at procurement, IMO.  The thing that drives your mission critical equipment is as mission critical as the thing itself, and needs to be supported and maintained.

 

Back to the topic at hand. I'll re-iterate. The fact that VBA macros either aren't sandboxed, or are but not at all well enough to prevent malicious users from causing damage, has always astonished me.

[leadeater]

1 minute ago, James Evens said:

Migrating? Budget request? The current software works! * project denied stamp*

That's why I said Microsoft needs to cut it off, hard dates help a lot. Even if you run unsupported for years, at some point it'll become a problem, no sympathy when that elastic band stops stretching, snaps and pings you real good in the ass lol

[wseaton]

The problem isn't Macros, the problem isn't VB scripts, the problem isn't Excel running Javascripts which is really scary. The issue is running them from untrusted sources. I've been ranting for years MS needs to implement a more secure version of embedded code execution much like current digital certificates, and make them draconian by default to allow even modest IT depts a basic GPO option to lock it down - hard. This will also prevent exploits from using online document hosting sites as repositories.

 

I was between projects a couple years ago and spent some time tearing apart Ransomware packages that came attached to E-mails. What the embedded Macro does is run a few pages of obfuscated garbage code to get around AV scanners and then call down the real nasty stuff. The embedded Macro doesn't do the nefarious stuff. 

 

End users are gonna 'click'. Nothing you can do about it. At least give IT depts more tools to shut it down without ticking off business units. And for godsake start using better AI algorithms to determine if the code is malicious,

[leadeater]

@wseatonA lot of those control are in Office Scripts, the way VBA Macros is implemented it's probably simply not feasible to do anything like this. Just because it's IT doesn't mean you can label it as ticking xyz off because there is a change. In business things change all the time, high time people get over it and treat IT like anything else. 

 

Ain't any different than complaining about tax codes and laws changing, everything is working for me now why should I have to change, because it is.

[wanderingfool2]

10 hours ago, leadeater said:

Can we not just get rid of Office VBA Macros all together and shove in the legacy basket already? Why new versions of Office continue to support this is beyond me, run old versions while you have to and migrate away from VBA Macros.

The way I look at it, for small to mid-range businesses VBA Macros can be quite crucial.  I do think that VBA can be dangerous, but not all businesses have a dedicated IT team.

 

Other use-cases would be teams that use 3270 terminal emulators to interface.  My last workplace the Canadian team interfaced with the 3270 clients with excel (to quickly automate some of the tasks).  It was simple enough that every office had someone who was able to just quickly pick it up and do what they needed to do.  There was an attempt to move away from it, but a multi-million dollars spent by the US team, a few years and a "working" solution was made that no where matched the speed and reliability that the 3270 terminals still provided.  Not saying that certain things shouldn't be sun-setted, but honestly I think had Microsoft multiple version ago, specifically when they made xlsx and xlsm, a better way to manage controls on VBA they could have made it pretty safe.

 

Actually an example that I have come across is generating doc files that are sent to customers...in the workplace it reads the customers profile, and automatically inserts the relevant images and fills in text using VBA.  Sure, it could be replaced by an actual program but realistically that would cost a bunch of money compared to the current solution.

 

Overall, all I am saying is that I think MS could have done better at making it safe, while still keeping it in (because it can be insanely useful having VBA...because it's just so easy for someone to pick up on)