Image by Alex Castro / The Verge
Microsoft is finally planning to block Visual Basic for Applications (VBA) macros by default in a variety of Office apps. The change will apply to Office files that are downloaded from the internet and include macros, so Office users will no longer be able to enable certain content with a simple click of a button.
āThe default is more secure and is expected to keep more users safe including home users and information workers in managed organizations,ā explains Kellie Eickmeyer, a principal PM at Microsoft.
Hackers have been targeting Office documents with malicious macros for years, and while Office has long prompted users to click to enable macros running, this simple button could lead to āsevere including malware, compromised identity, data loss, and remote access.ā Instead of a button, a security risk banner will appear with a link to a Microsoft support article, but no easy way to enable macros.
Image: Microsoft
Microsoftās new security banner.
Microsoft is planning to preview the change with its Current Channel (Preview) users in early April, before rolling out to its regular Microsoft 365 customers. The change to block VBA macros from the web will affect Access, Excel, PowerPoint, Visio, and Word on Windows. Microsoft also plans to update Office LTSC, Office 2021, Office 2019, Office 2016, and even Office 2013 to block internet VBA macros.
This is a big change that could impact a lot of genuine use cases for VBA macros, and it means that Office users will only be able to enable the macros by specifically ticking an unblock option on the properties of a file. Thatās a lot more steps than usual, and ones that Microsoft is hoping will help prevent security issues in the future.
āMacros account for about 25 percent of all ransomware entry,ā explains security researcher and former Microsoft employee Kevin Beaumont. āKeep derisking macros and macro functions. Itās really important. Thank you all the people behind the scenes doing this.ā Marcus Hutchins, a security researcher best known for halting the global WannaCry malware attack, also celebrated Microsoftās changes but noted the company has ādecided to do the bare minimumā after years of malware infections.