On February 8, Microsoft announced today that it will block the execution of VBA macro scripts in 5 Office applications by default, one of the most impactful changes in recent years. Starting in early April 2022, Access, Excel, PowerPoint, Visio, and Word users will not be able to enable macro scripts in untrusted files they download from the Internet.
Security researchers have been demanding this change for years, which would put a powerful hurdle on malware gangs that rely on tricking users into enabling macro scripts as a way to install malware on their systems. In these attacks, users usually receive a copy of a file via email or are instructed to download it from an Internet site. When they open the file, an attacker typically leaves a message instructing the user to enable the execution of macro scripts.
While users with some technical and cybersecurity knowledge may be able to recognize that this is a bait for contracting malware, many everyday Office users still don't realize this technique and end up following the instructions provided, effectively infecting themselves with malware.
Dealing with this problem has been a thorn in Microsoft's spine, as VBA macro scripts are often used within the company to automate certain actions and tasks when opening certain files, such as importing data from dynamic sources and updating the contents inside a document.
Since the early 2000s, Microsoft has tried to solve this problem by displaying a mild security warning in the form of a toolbar at the top of the document, but this warning also contains controls that allow users to execute macro scripts.
After this change is rolled out to end users, the warning changes to display a red warning bar informing users that macros are included in the document but cannot be enabled for security reasons.
Microsoft announced its plans today in a blog post on its Tech Community Portal. The blog post also contains a logical description of what five Office applications will follow when deciding whether to allow or block the execution of macro scripts within a document.
Microsoft said the default decision to block VBA macros only affects Access, Excel, PowerPoint, Visio and Word on Windows. Documents containing VBA macros that are created and obtained within an organization's trust network will still be allowed to execute.
"This change will begin rolling out in version 2203, starting with the current channel (preview) in early April 2022," Microsoft said today. "In the future, the change will be available in other update channels, such as the current channel, the monthly enterprise channel, and the semi-annual enterprise channel."
The change will also be available to all Microsoft 365 customers, and the os-system manufacturer said it also plans to pass the change back to other Office versions such as Office LTSC, Office 2021, Office 2019, Office 2016 and Office 2013.
Once completed, the move would block the spread of a large amount of malware, but would also affect many financially and politically motivated espionage activities; however, these operations are likely to continue using other technologies. Previously, after similar abuse by malware gangs, Microsoft also blocked the execution of Excel 4.0 (XLM) macro scripts.