Don’t just block MS Office macros; kill the buggers
Microsoft has announced that it is making it harder for the bad guys to use MS Office macros with malicious intent.
“Macro-based malware is on the rise and we understand it is a frustrating experience for everyone. To help counter this threat, we are releasing a new feature in Office 2016 that blocks macros from loading in certain high-risk scenarios,” says the official Microsoft announcement on the TechNet Threat Research & Response Blog.
“Despite periodic lulls, infections for the top 20 most detected macro-based malware were high over the past three months,” the announcement reads. It also adds that “in the enterprise, recent data from our Office 365 Advanced Threat Protection service indicates 98% of Office-targeted threats use macros.”
This alone suggests that something needs to be done about macro-based malware. The real problem for Microsoft is exactly what. That 98% statistic – which refers to detections and not necessarily successful infections remember – is a stark reminder to us all that the current Microsoft mitigation methodology isn’t working.
And that doesn’t surprise us here at IT Security Thing HQ one little bit. After all warnings about MS Office macros are more often ignored by end users than not. Even the Protected View by default setting is either, in our experience, soon switched off by the user (as it ruins usability) or they are tricked into doing so by social engineering tactics.
Which is where the new mitigating measures come into effect, attacking the problem of what Microsoft refers to as high risk macro scenarios. “Block the macro, block the threat,” says Microsoft. Erm, yes, we get that. But it hasn’t really worked up until now, so what’s different this time around?
Microsoft says it’s a three-pronged principle, namely:
- Allows an enterprise to selectively scope macro use to a set of trusted workflows
- Block easy access to enable macros in scenarios considered high risk
- Provide end users with a different and stricter notification so it is easier for them to distinguish a high-risk situation against a normal workflow
Controlling this via Group Policy, configured on a per application basis, enterprise admins can block macros from running in Excel, PowerPoint and Word documents that have arrived from the Internet. This applies whether they are downloaded from a website, the cloud or attached to an email from an external organisation, for example.
In such a scenario, the new feature would prevent the end user from leaving the sandboxed safety of Protected View even if they wanted to. There would be no way, Microsoft insists, to circumvent this.
Unless, of course, the policy impacts upon workflow and identifying alternatives to ensure certain locations are trusted enough to be allowed through the roadblock becomes too much hassle. Given that the new feature appears to rely purely on ‘security zone information’ from Windows (Internet Zone originating files would be blocked, for example) this seems a possible scenario.
Which brings us to the final two paragraphs in the Microsoft posting, and they are the most important ones if you ask us. Here the advice is much the same for end user and enterprise administrator alike: disable macros completely.
For end users Microsoft recommends that “you don’t enable macros on documents you receive from a source you do not trust or know, and be careful even with macros in attachments from people you do trust – in case they’ve been hacked.”
For enterprise administrators it’s this: “if your enterprise does not have any workflows that involve the use of macros, disable them completely. This is the most comprehensive mitigation that you can implement today.”
Well quite. Just like Adobe Flash plugins, we say that if you don’t need them, and the chances are that you really don’t, then kill the buggers. Put an end to MS Office macros. After all, isn’t it about time that Microsoft found a better way of automating tasks in office?