After a strange bit of back-and-forth, Microsoft announced that it will resume blocking VBA macros in Office by default starting July 27.
“We’re resuming the rollout of this change in Current Channel,” Microsoft’s Kellie Eickmeyer explains in a blog post that was originally published in February but updated this past week. “Based on our review of customer feedback, we’ve made updates to both our end user and our IT admin documentation to make clearer what options you have for different scenarios. For example, what to do if you have files on SharePoint or files on a network share.”
Microsoft had announced in February that it would start blocking VBA macros obtained from the Internet by default in Office, forcing users to jump through a few hoops to run potentially dangerous code. But it appeared to backtrack earlier this month when it revealed that it was rolling back the change, which had been scheduled for June, because of feedback, presumably from corporate customers.
Security experts howled, explaining that VBA macros are inherently insecure.
“Sad decision,” Google Threat Analysis Group leader Shane Huntley tweeted. “Blocking Office macros would do infinitely more to actually defend against real threats than all the threat intel blog posts. I always see our main mission in threat intelligence is to drive the changes to protect people.”
But Microsoft never intended to not block the macros: it had rolled back the change to make “some additional changes to enhance usability,” and it said at that time that it was just a temporary thing. “We are fully committed to making the default change for all users.”
And now it has. Users interested in learning about the experience they’ll see when they try to run Internet-obtained VBA macros can refer to the Microsoft Support website. And Microsoft has a separate resource for IT pros as well.
Tagged with Security