Microsoft makes major course reversal, allows Office to run untrusted macros [Updated] – Ars Technica
https://ift.tt/zije4Fs
Front page layout
Site theme
Sign up or login to join the discussions!
Dan Goodin – Jul 11, 2022 4:47 pm UTC
Microsoft has stunned core parts of the security community with a decision to quietly reverse course and allow untrusted macros to be opened by default in Word and other Office applications. (Update on July 11: The company later clarified that the move is temporary.)
“We will continue to adjust our user experience for macros, as we’ve done here, to make it more difficult to trick users into running malicious code via social engineering while maintaining a path for legitimate macros to be enabled where appropriate via Trusted Publishers and/or Trusted Locations,” Microsoft Office Program Manager Tristan Davis wrote in explaining the reason for the move.
Security professionals—some who have spent the past two decades watching clients and employees get infected with ransomware, wipers, and espionage with frustrating regularity—cheered the change.
Now, citing undisclosed “feedback,” Microsoft has quietly reversed course. In comments like this one posted on Wednesday to the February announcement, various Microsoft employees wrote: “based on feedback, we’re rolling back this change from Current Channel production. We appreciate the feedback we’ve received so far, and we’re working to make improvements in this experience.”
Microsoft later updated the post to say the reversal wouldn’t be permanent. “Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability,” the updated post stated. “This is a temporary change, and we are fully committed to making the default change for all users.”
The terse admission came in response to user comments asking why the new banners were no longer looking the same. The Microsoft employees didn’t respond to forum users’ questions asking what the feedback was that caused the reversal or why Microsoft hadn’t communicated it prior to rolling out the change.
“It feels like something has undone this new default behavior very recently,” a user named vincehardwick wrote. “Maybe Microsoft Defender is overruling the block?”
After learning Microsoft rolled back the block, vincehardwick admonished the company. “Rolling back a recently implemented change in default behavior without at least announcing the rollback is about to happen is very poor product management,” the user wrote. “I appreciate your apology, but it really should not have been necessary in the first place, it’s not like Microsoft are new to this.”
On social media, security professionals lamented the reversal. This tweet, from the head of Google’s threat analysis group, which investigates nation-state-sponsored hacking, was typical.
“Sad decision,” Google employee Shane Huntley wrote. “Blocking Office macros would do infinitely more to actually defend against real threats than all the threat intel blog posts.”
Sad decision. Blocking Office macros would do infinitely more to actually defend against real threats than all the threat intel blog posts.
I always see our main mission in threat intelligence is to drive the changes to protect people. https://t.co/JFMeyzefov
Not all experienced defenders, however, are criticizing the move. Jake Williams, a former NSA hacker who is now executive director of cyber threat intelligence at security firm SCYTHE, said the change was necessary because the previous schedule was too aggressive in the deadline for rolling out such a major change.
“While this isn’t the best for security, it’s exactly what many of Microsoft’s largest customers need,” Williams told Ars. “The decision to cut off macros by default will impact thousands (more?) of business-critical workflows. More time is needed to sunset.”
Post updated to note the reversal is temporary.
You must login or create an account to comment.
Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox.
CNMN Collection
WIRED Media Group
© 2022 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy.
Your California Privacy Rights | Do Not Sell My Personal Information
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast.
Ad Choices
Tech
via Inferse.com https://www.inferse.com
August 5, 2022 at 09:22PM