back to article Microsoft rolls back default macro blocks in Office without telling anyone

Microsoft appears set to roll back its decision to adopt a default stance of preventing macros sourced from the internet from running in Office unless given explicit permission. The software giant announced the change in February 2022 with a post that explained how macros written with Visual Basic for Applications are powerful …

  1. Mike 137 Silver badge

    Removes protection without telling anyone

    Unless you know the state of your infrastructure, you cannot secure it, and real security has to be accomplished locally by you - not devolved on third parties that don't know (nor indeed care about) your business exposure..These are fundamental principles that we (and, clearly, the vendors we rely on) ignore at our peril.

    1. Anonymous Coward
      Anonymous Coward

      Re: Removes protection without telling anyone

      Our corporate IT department does little more than migrate everything to Office 365/Azure, relay release notes to the company and, when something doesn't work, say they informed MS about it and shrug.

      And to be honest, they probably like it that way. They're not really responsible for anything any more.

      1. Mike 137 Silver badge

        Re: Removes protection without telling anyone

        "They're not really responsible for anything any more."

        They'll find out to the contrary the hard way. They will be held responsible when a data breach is investigated and penalised.

        1. Anonymous Coward
          Anonymous Coward

          Re: Removes protection without telling anyone

          You've never read the Terms & Conditions you agree to, have you? They could demand your first born in there and nobody would notice, but every agreemens ever since the invention of the click-to-apree concept has declared the supplier totally free of blame for whatever cockup they stick in their code next, and Microsoft has of late been fully taking advantage of that. Just the cockup with Quick Assist alone is enough to convince anyone that they are now deliberately going out of their way proving that they can get away with just about anything,

          Personally I think those Terms ought to be banned for any company over a certain annual income.

          1. Paul Hovnanian Silver badge

            Re: Removes protection without telling anyone

            "They could demand your first born in there and nobody would notice"

            If they can get him out of my basement, they can have him.

            Please.

      2. Trixr

        Re: Removes protection without telling anyone

        Don't blame your "corporate IT department" whole cloth. Some of us have not entirely drunk the cloud Kool-aid*, but the executive suite has other ideas.

        (*Fine for some use-cases, if you can accept the risks.)

    2. sitta_europea

      Re: Removes protection without telling anyone

      [quote]

      Unless you know the state of your infrastructure, you cannot secure it, and real security has to be accomplished locally by you - not devolved on third parties that don't know (nor indeed care about) your business exposure..These are fundamental principles that we (and, clearly, the vendors we rely on) ignore at our peril.

      [/quote]

      Correct. Nobody can say in 2022 that they didn't know that macros are a threat, and I for one wouldn't trust Microsoft to secure my bicycle.

  2. Pascal Monett Silver badge

    Typical Borkzilla

    Because it's not your computer anymore.

    Companies these days have the attention span of goldfish. Oh, a new idea ! Let's implement without thinking about its impact !

    And we need to implement agile, because that means we're professionals !

    Our society has completely lost the notion of stability and continuity.

    I don't see that changing any time soon.

    1. Mayday Silver badge
      Flame

      Agile

      More like “Ag Hoc”

      Let’s tell everyone we’re agile.. we’ll demonstrate this by having a 15 minute morning standup which will go for over an hour, but we shan’t deeply CI/CD or Devops practices but in reality but demand timelines, Gantt Charts and due dates so it still looks like we (project managers, bean counters etc) are still relevant.

    2. ITMA Bronze badge
      Flame

      Re: Typical Borkzilla

      "Oh, a new idea ! Let's implement without thinking about its impact !"

      Focussed f***ing Inbox!!!!

      1. Antron Argaiv Silver badge
        FAIL

        Re: Typical Borkzilla

        One might suspect that Microsoft's left hand does not know what Microsoft's right hand is doing, and both are completely disconnected from the brain (which is busy calculating revenue, stock price, and executive bonus amounts)

        There's little left to be done to Office in the way of improved functionality, so the last fifteen years have been feature churn.

        1. Strahd Ivarius Silver badge
          Facepalm

          Re: Typical Borkzilla

          the brain (which is busy calculating revenue, stock price, and executive bonus amounts)

          using a macro downloaded from the Internet, hence the rollback

    3. a_yank_lurker Silver badge

      Re: Typical Borkzilla

      Manglement has an attention span that is much shorter than a goldfish, much, much shorter. Their collective IQ is < 0.

      My main beef with manglement is the tendency to be credential happy and not pay attention to details like a willingness to learn and grow professionally.

      1. CrazyOldCatMan Silver badge

        Re: Typical Borkzilla

        Their collective IQ is

        The IQ of a crowd can be calculated by taking the lowest IQ value of those present and dividing by the number of the crowd.

        Given the IQ of the British Standard Middle Manager and the size of most management groups I suspect that your guess is not far off..

  3. Primus Secundus Tertius Silver badge

    Maybe the reason for this reverse-ferret is to enable some future "enhancement" from Microsoft.

    1. Anonymous Coward
      Anonymous Coward

      future "enhancement" from Microsoft.

      You beat me to it.

    2. katrinab Silver badge
      Meh

      The last update to VBA was in Office 2013, so it is looking like abandonware at this point.

      1. Anonymous Coward
        Anonymous Coward

        That's ok - I'm happy with Excel 2010 running my useful local macros

        However - there seems to be no way to stop a banner repeatedly appearing telling me I should buy an updated version of Office. At some point I would not be surprised if Microsoft decided to "help" me by stopping my VBA working at all.

  4. Clausewitz4.0
    Devil

    VBA legacy applications

    In the old days, I had an entire federal department managing thousands of assets via an Access file + VBA application.

    Using VBA significantly lowered the time I would spend setting up servers, databases, etc.. to create the application in a few days, and once you showed some workers they "just had to open a document" and the application would start to run, things became really simple and speedy in the office.

    Now it makes me wonder how many of these legacy systems are still in use nowadays.

    1. Trixr

      Re: VBA legacy applications

      Way too many, to be honest, and we're still cleaning up the mess of very idiosyncratic and unmaintainable solutions that are supposedly "mission-critical" apps in certain critical public-facing areas of the org.

  5. Anonymous Coward
    Anonymous Coward

    Tired

    Really tired of MS creating exploits for the hell of it.

    But I guess I can understand, it's one of the top 10 most hated companies in the world. Which means a lot of insiders hate them too, and those insiders with all that hate just make it worse. Ohhh look we can make this file type run code from the web without people knowing it - coolzeees, lets add that to every office app....... and flip it on and off and on just to listen to people scream.

    1. Cliffwilliams44 Bronze badge

      Re: Tired

      Yes, VBA is exploitable! So is JavaScript via NPM! So are a lot of things. If your creating these things, or If they were created in the past and you just HAVE to have them then pay for the cert and code sign them! Don't pass the blame to MS, it is YOUR responsibility and if management is unwilling to pay for the cert the they take the risk! All this is doing is delaying the inevitable! MS WILL remove this functionality by default and only signed macros will work!

  6. Doctor Syntax Silver badge

    "it's effectively broken some useful systems they've built."

    That's an odd way to spell "protected".

  7. StrangerHereMyself Bronze badge

    Don't look back

    I switched to LibreOffice on Linux a long time ago and never looked back!

    This is just plain incompetence and banality if not mal-intent.

    1. Anonymous Coward
      Anonymous Coward

      Re: Don't look back

      Last time I tried to switch to LibreOffice - there was no VBA equivalent to port my time-saving macros.

      1. CrazyOldCatMan Silver badge

        Re: Don't look back

        there was no VBA equivalent to port my time-saving macros

        I would consider that a virtue, not a bug..

  8. Someone Else Silver badge

    You've got us jumping from one foot to the next and having to second guess what the next volte face is going to be.

    And this surprises you how, again?

    No Micros~1 victim customer could possibly be this naïve.

  9. cob2018

    "substantive response"

    Just for the record, El Reg, please tell us how often this actually happens, vs how often it does not.

    Inquiring minds want to know.

  10. Ken Moorhouse Silver badge

    Dear User

    Please to be clicking here to be changing the Macro permissions on Office.

    Yours sincerely

    Microsoft

  11. Paul Hovnanian Silver badge

    Which one of you asked for this, and why?

    Probably the people developing exploits that depend on this function.

    You can secure a system or protocol all you want. But then you will receive a call from that one poor single mother. With the children crying and dogs barking in the background. And the landlord is on his way to evict the whole bunch. If only you'd switch some setting on or off, all these problems would go away. And so, as the big-hearted person you are, you do. And then they've got your corporate network. Sometimes you just have to be an *sshole.

    "Do not redeem the card!"

  12. druck Silver badge

    To hell with security

    The only security Microsoft is interested in, is of their bottom line.

  13. Cliffwilliams44 Bronze badge

    The title should be, Microsoft rolls back change because customers are stupid!

    If you are creating these macros for business purposes and you have not been code-signing them that's on you! You should have been doing this a long time ago.

    Macro enabled office documents should be blocked from email EVEN within the organization. They should only be accessible over other resources such as network shares and they MUST be code signed! Security is YOUR responsibility! Yes it cost money!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022