Microsoft is going back on its decision to disable macros by default. Image: Shutterstock
Microsoft has quietly rolled back its much-lauded plans to disable macros by default on its Office365 platform, much to the chagrin of cyber security professionals.
Office macros are such a common attack vector for cyber criminals that the Australian Cyber Security Centre includes disabling them as one of the Essential Eight cyber security mitigation strategies.
In February, Microsoft said it would make macros disabled by default “for the protection of our customers” – a decision security researchers described as a “game changer” for keeping systems secure.
But last week, users began commenting on Microsoft’s initial blog about the change asking if it had been rolled back.
Within half an hour, a Microsoft employee responded, confirming that, yes, it was going back on its pledge to disable macros default, and, no, Microsoft hadn’t told anybody.
“Based on feedback received, a rollback has started,” said the Microsoft representative.
“An update about the rollback is in progress. I apologise for any inconvenience of the rollback starting before the update about the change was made available.”
The original change made it more difficult for users to enable macros on files downloaded on the internet.
Currently, Office apps come up with a small bar and a button that says ‘Enable Content’ which will enable macros if clicked.
Cyber criminals frequently use macros, hiding scripts that deliver malware in innocent-looking documents which urge their recipient to click that ‘Enable Content’ button.
Shane Huntley, a member of Google’s Threat Analysis Group, said Microsoft had made a “sad decision” by rolling back the changes.
“Blocking Office macros would do infinitely more to actually defend against real threats than all the threat intel blog posts,” he said.
Likewise, Kevin Beaumont, a security researcher who has worked with Microsoft, said he was “disappointed” that “the single most impactful change Microsoft could have made to radically improve a real world cybersecurity issue in their own back garden … was rolled back without even being communicated”.
Speculation abounded about why Microsoft would revert the changes with some suggesting that its proposed ‘Mark of the Web (MOTW)’ solution was too complex for casual enterprise users, while others claimed it was likely due to complaints from large legacy users.
A Microsoft spokesperson said the rollback was “a temporary” change and that it is “fully committed to making the default change for all users”.