Microsoft Tackles Macro Malware

John Lister's picture

Microsoft is making it harder for scammers to distribute ransomware and other malware through Office documents. However, the tighter block on visual basic macros running by default may frustrate some users.

A macro is a way of reducing a series of instructions to a single instruction, while VBA (visual basic language) is a way of handling macros in Microsoft programs. It's often used for frequently performed tasks.

To give a hypothetical example, a user could create a macro in a spreadsheet that means pressing a couple of keys together which tells the computer to check two columns for any likely typos (such as missing a decimal point), averaging the contents of the two columns, then immediately saving the file.

Ransomware Risk

The problem with macros is that scammers can insert them into Office documents and trick people into opening them. The macro then carries out malicious instructions, often taking advantage of known operating system or MS Office flaws.

One researcher quoted by The Verge estimated that macros are used in around 25 percent of successful ransomware attacks. (Source: theverge.com)

Until now, a file with a VBA macro displays a "Security Warning" but simply noted that "Macros have been disabled" and showed a button reading "Enable Content" than runs the macro. While this might alert some users, it isn't necessarily going to seem suspicious to somebody who has already been misled into opening the document.

Red Alert

The change means files opened from attachments or downloaded from the Internet will carry a more explicit warning with a red background and the wording "SECURITY RISK. Microsoft has blocked macros from running because the source of this file is untrusted."

There will no longer be an option to click a button to enable the macros. Instead users will have the option to click a button reading "Learn More." This will bring up an article explaining more details about macros and the risks. (Source: microsoft.com)

To run the macro, the user will have to read through the article, save the document to a hard drive, then change a setting in its file properties to unblock macros.

What's Your Opinion?

Is this a smart move by Microsoft? Will it reduce the number of malware victims? Will it cause too much disruption to people who get legitimate files with macros as attachments or downloads?

Rate this article: 
Average: 4.9 (7 votes)

Comments

Dennis Faas's picture

Microsoft could go a step further and have the macro submitted (or its hash) to a centralized page that has reviews from other users that state whether or not the macro in question is harmful or not - sort of like using virustotal.com and web of trust. Or better yet, have all newly downloaded macros scanned by Windows Defender and automatically deleted if it's known to be malicious based on reputation.

doulosg's picture

Your second sentence refers to "virtual basic macros." Did you mean to say, "visual basic macros" at that point? (And feel free to delete this comment if you do change the text.)

pctyson's picture

Many times, the weakest point for malware entry is the mouse or keyboard. People need to be a little skeptical unless they are certain. When I was looking after the computers at the company I worked for (not my primary responsibility), most issues we had resulted from people not taking the few seconds to question "should I do this?". I wish that people would take a moment to research before clicking or hitting enter but they likely will not. I agree completely with you Dennis. It needs to be a built in function either through deletion or warning.