Microsoft has stunned core parts of the security community with a decision to quietly change course and open untrusted macros by default in Word and other Office applications.
In February, the software maker announced a major change it said it had made to combat the growing scourge of ransomware and other malware attacks. In the future, macros downloaded from the Internet would be completely disabled by default. While Office previously provided warning banners that could be ignored with the click of a button, the new warnings would provide no such way to enable the macros.
“We will continue to tweak our macro user experience, as we’ve done here, to make it more difficult to trick users into running malicious code through social engineering, while maintaining a path to enable legitimate macros where necessary through Trusted Publishers and/or trusted locations,” wrote Microsoft Office Program Manager Tristan Davis, explaining the reason for the move.
Security professionals — some who have spent the past two decades watching customers and employees become infected with ransomware, erasers and espionage with frustrating regularity — welcomed the change.
‘Very poor product management’
Now, citing undisclosed “feedback,” Microsoft has quietly changed course. In comments like this one posted Wednesday accompanying the February announcement, several Microsoft employees wrote, “Based on feedback, we are rolling back this change to Current Channel production. We appreciate the feedback we’ve received so far, and we’re working on improvements to this experience.”
The succinct confession came in response to comments from users asking why the new banners didn’t look the same anymore. The Microsoft staff did not respond to questions from forum users asking what the feedback was that caused the rollback or why Microsoft hadn’t communicated it before the change was made.
“It feels like something very recently overturned this new default behavior,” wrote one user named vincehardwick. “Maybe Microsoft Defender overwrites the block?”
After learning that Microsoft had rolled back the blockade, Vincehardwick admonished the company. “To roll back a recently implemented change to the default behavior without at least announcing that the rollback is about to happen is very poor product management,” the user wrote. “I appreciate your apology, but it really shouldn’t have been necessary, it’s not like Microsoft is new to this.”
On social media, security professionals lamented the reversal. This one tweetfrom the head of the Google threat analysis group, which investigates state-sponsored hacking, was typical.
“Sad decision,” wrote Google employee Shane Huntley. “Blocking Office macros would do infinitely more to actually defend against real threats than any threat intelligence blog post.”
Sad decision. Blocking Office macros would do infinitely more to actually defend against real threats than any threat intelligence blog post.
I always see that our number one mission in threat intelligence is to drive the change to protect people. https://t.co/JFMeyzefov
— Shane Huntley (@ShaneHuntley) July 8, 2022
Not all veteran defenders are critical of the move, however. Jake Williams, a former NSA hacker who is now executive director of cyber threat intelligence at security firm SCYTHE, said the change was necessary because the previous schedule was too aggressive in the deadline for rolling out such a major change.
“While this isn’t the best for security, it’s exactly what many of Microsoft’s largest customers need,” Williams told Ars. “The decision to close macros by default impacts thousands (more?) of mission-critical workflows. More time is needed before sunset.”
Microsoft PR has not commented on the change in the nearly 24 hours that have passed since it first surfaced. A rep told me she’s checking the status.