Microsoft makes major course reversal, allows Office to run untrusted macros

Microsoft has stunned core parts of the security community with a decision to quietly reverse course and allow untrusted macros to be opened by default in Word and other Office applications.

In February, the software maker announced a major change it said it enacted to combat the growing scourge of ransomware and other malware attacks. Going forward, macros downloaded from the Internet would be disabled entirely by default. Whereas previously, Office provided alert banners that could be disregarded with the click of a button, the new warnings would provide no such way to enable the macros.

“We will continue to adjust our user experience for macros, as we’ve done here, to make it more difficult to trick users into running malicious code via social engineering while maintaining a path for legitimate macros to be enabled where appropriate via Trusted Publishers and/or Trusted Locations,” Microsoft Office Program Manager Tristan Davis wrote in explaining the reason for the move.

Security professionals—some who have spent the past two decades watching clients and employees get infected with ransomware, wipers, and espionage with frustrating regularity—cheered the change.

‘Very poor product management’

Now, citing undisclosed “feedback,” Microsoft has quietly reversed course. In comments like this one posted on Wednesday to the February announcement, various Microsoft employees wrote: “based on feedback, we’re rolling back this change from Current Channel production. We appreciate the feedback we’ve received so far, and we’re working to make improvements in this experience.”

The terse admission came in response to user comments asking why the new banners were no longer looking the same. The Microsoft employees didn’t respond to forum users’ questions asking what the feedback was that caused the reversal or why Microsoft hadn’t communicated it prior to rolling out the change.

“It feels like something has undone this new default behavior very recently,” a user named vincehardwick wrote. “Maybe Microsoft Defender is overruling the block?”

After learning Microsoft rolled back the block, vincehardwick admonished the company. “Rolling back a recently implemented change in default behavior without at least announcing the rollback is about to happen is very poor product management,” the user wrote. “I appreciate your apology, but it really should not have been necessary in the first place, it’s not like Microsoft are new to this.”

On social media, security professionals lamented the reversal. This tweet, from the head of Google’s threat analysis group, which investigates nation-state-sponsored hacking, was typical.

“Sad decision,” Google employee Shane Huntley wrote. “Blocking Office macros would do infinitely more to actually defend against real threats than all the threat intel blog posts.”

Not all experienced defenders, however, are criticizing the move. Jake Williams, a former NSA hacker who is now executive director of cyber threat intelligence at security firm SCYTHE, said the change was necessary because the previous schedule was too aggressive in the deadline for rolling out such a major change.

“While this isn’t the best for security, it’s exactly what many of Microsoft’s largest customers need,” Williams told Ars. “The decision to cut off macros by default will impact thousands (more?) of business-critical workflows. More time is needed to sunset.”

Microsoft PR has provided no comment on the change in the almost 24 hours that have passed since it first surfaced. A representative told me she is checking on the status.