Microsoft appears set to roll back its decision to adopt a default stance of preventing macros sourced from the internet from running in Office unless given explicit permission.
The software giant announced the change in February 2022 with a post that explained how macros written with Visual Basic for Applications are powerful, but offer a way for criminals to drop malicious payloads onto the desktop.
The potential for such attacks is hardly new. The infamous Melissa virus rampaged across the world’s mail servers in 1999 thanks to malicious macros embedded in a Word document. Things got worse over the years, so in 2016 Microsoft upped the ante with a tool that allowed admins to define when and where macros were allowed to run. Microsoft also stopped running macros without first asking users if they really wanted to do so.
But the problem kept getting worse. So in February this year Microsoft decided to block macros by default in Access, Excel, PowerPoint, Visio, and Word, explaining that the change made Office “more secure and is expected to keep more users safe including home users and information workers in managed organizations.”
Now the company appears to have reversed that decision.
A comment from a chap named Vince Hardwick noted that the default blocking of macros appeared to have been removed in the Current Channel for Office. Bleeping Computer appears to have spotted the thread before The Register.
A Microsoft staffer named Angela Robertson responded with the following:
Robertson did not discuss the feedback Microsoft has received that led to the change, but among the many comments on the original post announcing the block are complaints from users who took issue with the way macro blocking was implemented or lamented that it’s effectively broken some useful systems they’ve built.
Hardwick was also unimpressed.
“Rolling back a recently implemented change in default behaviour without at least announcing the rollback is about to happen is very poor product management,” he wrote.
“We’ve been scrambling to obtain a digital certificate for signing our VBA projects since I first became aware of the impending update in mid-June … then immediately after we’ve incurred that expense and got things working again in the least inconvenient way for our customers, Microsoft just flip a switch without telling anybody? You’ve got us jumping from one foot to the next and having to second guess what the next volte face is going to be.”
The Register has asked Microsoft to confirm the reversal of the default macro block, and to explain why it did not announce it publicly. We’ll update this story if we receive a substantive response. ®