Microsoft plans to kill malware delivery via Office macros

[leadeater]

1 hour ago, wanderingfool2 said:

Overall, all I am saying is that I think MS could have done better at making it safe, while still keeping it in (because it can be insanely useful having VBA...because it's just so easy for someone to pick up on)

So is Office Script, in fact it looks easier. Hell you can just do an action record and it'll create a Office Script that automates exactly what you just did, then from there you can edit it.

 

If you were able to write some VBA you can 100% use Office Script.

[wanderingfool2]

4 hours ago, leadeater said:

So is Office Script, in fact it looks easier. Hell you can just do an action record and it'll create a Office Script that automates exactly what you just did, then from there you can edit it.

 

If you were able to write some VBA you can 100% use Office Script.

Yea, admittedly it is pretty simple, but not nearly as powerful. (With VBA you could also record ) I get that it's a lot more lock-down pretty much to prevent the abuse, but at the same time it does limit you a decent amount.  At least from what I've seen it's not nearly at the point it needs to be to properly replace VBA.  (I don't use the web version so I haven't played around with it really).

 

In general, I think VBA is remarkably powerful for a pretty simple language to read/write; and while that does add dangers to it, I still feel that the warning and enabling of macros could have been redesigned in a way to make it less likely to have someone run VBA that contains malware...I bet they could have even sandboxed it if they wanted to

[Sauron]

15 hours ago, manikyath said:

it's actually the other way around, very often:

 

they buy a machine that'll last 30 years, because it's built to last 100 years if it needs to.

then that comes with a computer and some software... aaand good luck with that.

sure it'll work with the more modern software, but that's A LOT of paperwork to do each update, so you sort of either dont, or only do so VERY selectively.

Oh I'm very aware, I'm losing my mind over such paperwork in this precise moment. However in my experience the longer you wait, the worse the paperwork gets.

[leadeater]

2 hours ago, wanderingfool2 said:

At least from what I've seen it's not nearly at the point it needs to be to properly replace VBA.  (I don't use the web version so I haven't played around with it really).

Yea it's still very early and as mentioned Excel only right now, not a replacement for VBA yet. Fairy sure it'll get much more feature and capabilities rich over time though. It's likely why Microsoft isn't rushing to drop VBA Macros because they don't have anything to replace it yet, not fully.

[Kisai]

20 hours ago, leadeater said:

Can we not just get rid of Office VBA Macros all together and shove in the legacy basket already? Why new versions of Office continue to support this is beyond me, run old versions while you have to and migrate away from VBA Macros.

 

Not gonna happen. At least the engineering firm that I was doing work at, had a lot of these things, and just getting them work was basically a shot in a dark when migrating one user's profile to another machine.

[leadeater]

2 minutes ago, Kisai said:

Not gonna happen. At least the engineering firm that I was doing work at, had a lot of these things, and just getting them work was basically a shot in a dark when migrating one user's profile to another machine.

And XP will be supported forever, Faxes will never die out and the CPU frequency clock sync'd Fax Card in the PIII will never fail 

[Kisai]

1 minute ago, leadeater said:

And XP will be supported forever, Faxes will never die out and the CPU frequency clock sync'd Fax Card in the PIII will never fail 

Do realize that a lot of the VBA crap out there is stuff written by people who either no longer work for the company, or were "locked" so they can't be opened and legally reverse engineered. I've literately written stuff like this while at AT&T back on the 2G system. There is so much attrition at companies that chances are many tools are still being used that were written for Windows 2000 and Office 2000, because they don't want to pay someone to write a replacement, and "management" refuses to believe that tools written by previous customer support people are valuable.  One of the major tools used at (auction site) was written by customer service people in Java, is that person still around? Likely not, so they replaced it with this enormously complex "clearly written by a programmer with no UI experience" tool, against a database that was basically a raw database. It was incredibly unfriendly, so I wrote my own tool on top of it.

 

Sometimes I wrote a tool in VBScript, sometimes I wrote it in VBA inside Excel, sometimes I wrote it in JScript, sometimes I wrote it in Macro Express. Whatever was available on the computer that didn't involve asking permission for programming tools.

 

Every place I've worked, I've written tools to interface something stupid with something new. Even people I work with now, I'm finding myself writing tools that create output intended for a DOS system.

[leadeater]

Just now, Kisai said:

Do realize that a lot of the VBA crap out there is stuff written by people who either no longer work for the company

I do, I very much do. Doesn't at all change my opinion.

[HarryNyquist]

23 hours ago, leadeater said:

Yes but you can lock them in to Office 2021 maximum and then wave goodbye and say good luck. Things actually happen when the issue is forced, literally speaking from experience.

 

While it's still supported it won't change, when it's not supported it will change.

 

Edit:

Also I'm damn sure they are being used here, has to be at least somewhere. Like Server 2003, Server 2008 32bit etc these go away when you make a policy decision to not allow to run them anymore then suddenly the owners of the applications and service start to actually care and do something about it. And when they complain about why it's suddenly an issue now the response is no we told you it was an issue 10 years ago, 5 years ago, 4/3/2/1, and now the final bell is up.

I'm not saying it's a good reason, I'm saying that's the reason  

MS is so scared of losing long-time contracts that they will keep shit around well past its expiration date JUST to appease the possibility that something's still using it.

23 hours ago, Sauron said:

If it's that critical I think they can afford updating their software once every 30 years... they just don't because they don't need to so long as MS allows it.

Tell that to the healthcare industry running life-critical applications written in COBOL on 1980's era AS/400 mainframes, lol

 

It's unfathomably stupid but even if MS were to say "VBA dies tomorrow" I really am not sure execs would update/change these processes at all. Until last week, my company was still using Office 2013, ffs. I think MS would have to physically terminate all other licenses of Office except 365 to enforce compliance, which would be an unpopular move to say the least.

[leadeater]

16 minutes ago, HarryNyquist said:

I'm not saying it's a good reason, I'm saying that's the reason  

MS is so scared of losing long-time contracts that they will keep shit around well past its expiration date JUST to appease the possibility that something's still using it.

That however is actually rapidly, or not depending on your adoption, changing due to Azure. Microsoft set a precedent at the start, probably not fully intentionally lol, that literally anything in Azure can and will change or even disappear. Very different to their legacy app support of the past. I'm willing to bet once Microsoft thinks Office Scripts is ready VBA will be pulled quite quickly, Office Scripts is part of Office 365 and Azure and making a change that move the control back to them is 100% something I see them doing. 

[jagdtigger]

4 minutes ago, leadeater said:

I'm willing to bet once Microsoft thinks Office Scripts is ready VBA will be pulled quite quickly

Guess which patches IT wont install, and probably entirely stop updating office....

[Rauten]

12 minutes ago, jagdtigger said:

Guess which patches IT wont install, and probably entirely stop updating office....

No, IT won't install them.

Microsoft will, automatically, through the enterprise update ring. 

 

Oh, your Excel 97 spreadsheet with macros and custom development up-the-wazoo that you've been forcefully keeping alive for years and the entire department depends on it no longer works?

I'm so sorry to hear that, but you see, Microsoft has completely disabled that functionality in their latest update, I'm afraid we can't resurrect it.  

And we will burn the corpse until even the ashes are no longer usable.

[jagdtigger]

1 minute ago, Rauten said:

Microsoft will, automatically, through the enterprise update ring. 

Nope, business IT runs their own update server. They test updates before pushing them into production to make sure MS didnt screw up something....

[leadeater]

21 minutes ago, jagdtigger said:

Guess which patches IT wont install, and probably entirely stop updating office....

Not likely, also it's not patches. It'll be a new edition of Office and while many will obvious hold back on migrating to the latest any reasonable sized company will come up with a migration plan because staying on old version of Office isn't an option forever, especially if you have O365 host mail where MS will simply block you if they felt like it.

 

Moving away from VBA actually isn't as hard or as complicated as people want to make it out to be, what the lack is the desire and motivation to do it. But that's not uncommon or unnatural.

 

Things that will take a lot of time are generally avoided, making the situation worse I might add.

[leadeater]

3 minutes ago, jagdtigger said:

Nope, business IT runs their own update server. They test updates before pushing them into production to make sure MS didnt screw up something....

You clearly don't use Microsoft Office 365, Teams etc. All these have push updates as part of them, the choice you get is how much delay and that's about it.

[Rauten]

4 minutes ago, jagdtigger said:

Nope, business IT runs their own update server. They test updates before pushing them into production to make sure MS didnt screw up something....

Just now, leadeater said:

You clearly don't use Microsoft Office 365, Teams etc. All these have push updates as part of them, the choice you get is how much delay and that's about it.

Yup, that's exactly how we're set up in our company.

You didn't like the last update? Well, too freaking bad. 

[jagdtigger]

4 minutes ago, leadeater said:

You clearly don't use Microsoft Office 365

OFC not, im not dumb after all. I still use MSO2010 that is printing money by this time compared to the subscription BS.....

[wanderingfool2]

7 hours ago, leadeater said:

Yea it's still very early and as mentioned Excel only right now, not a replacement for VBA yet. Fairy sure it'll get much more feature and capabilities rich over time though. It's likely why Microsoft isn't rushing to drop VBA Macros because they don't have anything to replace it yet, not fully.

Yea, I personally would be very hesitant about it becoming powerful enough to outright replace all VBA functionality.  Mainly because it seems as though they are touting that it only has access to the Workbook it runs on.  I get that MS might be doing that to make it more secure (and so it can easily run on Excel on Web), but it can be super useful in VBA to just tell it to run and grab numbers from an already open excel sheet.

 

A real world use-case, a 60 employee business where we have a call-center staffed by 4 people to deal with things that arise from the customers.  We have the "reports" created by the HBPX call centre dashboard but need to utilize that data in another way (there aren't the reports we need to properly track the information we want about each agent...or rather there is the data, but we don't want to open up 10 reports and sift through the data each time).  So the solution was having the reports sent as a xlsx file, and use an reports xlsxm to go through the excel file and quickly parse out the data from the rows we needed.  [The quoted price from the provider to provide the reports was well out of the companies price range].  It could still have been done in a different language like C# using Excel's interop but generally it would just make it harder (as there was enough people left around the office upon leaving that still were proficient enough in VBA that they could modify it to add the new stuff they wanted)

 

*Although from my understanding this might still be possible in Office Scripts, but instead you would have to use Power Automate alongside Office Scripts...and I'm not sure if it works if one of the excel files is just a plain excel file...I really can't test it...not holding out hope for it*

 

Overall though, I'm not really holding out hope in MS getting Office Scripts right...especially given it's the company that thought it was a good idea to make excel open documents in a single window (dealt with so many headaches of users who needed two open on different screens)

[leadeater]

23 minutes ago, wanderingfool2 said:

A real world use-case, a 60 employee business where we have a call-center staffed by 4 people to deal with things that arise from the customers.  We have the "reports" created by the HBPX call centre dashboard but need to utilize that data in another way (there aren't the reports we need to properly track the information we want about each agent...or rather there is the data, but we don't want to open up 10 reports and sift through the data each time).  So the solution was having the reports sent as a xlsx file, and use an reports xlsxm to go through the excel file and quickly parse out the data from the rows we needed.  [The quoted price from the provider to provide the reports was well out of the companies price range].  It could still have been done in a different language like C# using Excel's interop but generally it would just make it harder (as there was enough people left around the office upon leaving that still were proficient enough in VBA that they could modify it to add the new stuff they wanted)

Personally I would have just connected to the database, assuming it has one ofc, and generated reports from that. Could even setup replication and select only the tables and columns required so you aren't putting load on the main database. Graphing and reporting using Excel or Access to an SQL data source is actually a really powerful quick and dirty as much as I hate telling people to try this method over more built out reporting solutions.

[wanderingfool2]

1 minute ago, leadeater said:

Personally I would have just connected to the database, assuming it has one ofc, and generated reports from that. Could even setup replication and select only the tables and columns required so you aren't putting load on the main database. Graphing and reporting using Excel or Access to an SQL data source is actually a really powerful quick and dirty as much as I hate telling people to try this method over more built out reporting solutions.

Yea, a database connection would be nice...but nope didn't exist (wish it had).  It's data provided by the 3rd party...it was a you get what you get situation.  Either getting daily emails with multiple pdfs or more of the data being received via xlsx...which couldn't be easily read into a database since it wasn't the raw data.

[manikyath]

9 hours ago, Sauron said:

Oh I'm very aware, I'm losing my mind over such paperwork in this precise moment. However in my experience the longer you wait, the worse the paperwork gets.

totally, but the quicker you do it, the more often you'll have ti do it (because you're skipping less updates)

[jagdtigger]

23 minutes ago, wanderingfool2 said:

or more of the data being received via xlsx...which couldn't be easily read into a database since it wasn't the raw data.

But you can export it as a csv, that can be fed to a database server....

[wanderingfool2]

1 minute ago, jagdtigger said:

But you can export it as a csv, that can be fed to a database server....

It wasn't raw data, so it still would need to be formatted to include only the correct data (it was effectively a report in an excel format, including headers multiple sections and all).  Overall, the point still stands though, if the process would be download the xlsx, convert to csv, load into a database, generate the report you wanted in xlsx...it's just in general better just going from the xlsx straight to the report xlsx.

 

No point in over-engineering something that already has an easy solution to it (that takes the same amount of time as the "proper" way)

[Sauron]

1 hour ago, manikyath said:

totally, but the quicker you do it, the more often you'll have ti do it (because you're skipping less updates)

I'll take it over rushed deadlines...