Sign in / up

back to article Microsoft closes off two avenues of attack: Office macros, RDP brute-forcing

Microsoft is trying to shut the door on a couple of routes cybercriminals have used to attack users and networks. The enterprise IT giant's policy of blocking Visual Basic for Applications (VBA) macros in downloaded Office documents by default has been activated once again after a brief pause to address feedback from users who …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    Did they also improve the alerting or logging?

    If not that's a yes please and also, with a side of natively supported MFA for local accounts.

    Bringing the behavior into parity the local login policy without addressing the others is a band-aid not a fix. Currently most users can't tell if they are being brute forced, and the default windows logs are a 90s era horror.That said locking the users (active) account, possibly from a different domain connected computer, without notice, is a very classic M$ power move. Funny that their email system will notify IT if there are too many break-in attempts on one of our domains email addresses, but not on their domain accounts by default.

    Instead we have to set up our own log collectors, and very carefully screen them, as no two versions of windows will seemingly log password attempt/succeed/fail in a consistent or traceable manner, or by default.

    5 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Did they also improve the alerting or logging?

      They decided to concentrate their efforts on more important features, like building in a easy switch for clueless Corporate IT departments which makes using non-Edge browsers with SSO a pain or impossible.

      8 0 Reply
  2. david 12 Silver badge

    Accounts on our Win2K computers would lock after multiple failed login attempts.

    I assume that this announcement means that the default local-policy setting has been changed for home computers. The basic feature has been there since a lot longer than 2016..

    5 0 Reply
  3. Doctor Syntax Silver badge

    Maybe something a bit more creative then simply locking. A tar-pit for instance.

    2 0 Reply
  4. mark l 2 Silver badge

    (The policy was to block these particular macros by default in Access, Excel, PowerPoint, Visio, and Word, though after a few months of – at times, negative – feedback from users, Microsoft put a temporary halt on the initiative. Complaints ranged from critiques about how the blocking was implemented to the negative impact it had on some users' systems.)

    So a few users had a moan because it made their life more difficult so MS back tracked on improved security for the masses? Those complaining will probably be the first ones to get compromised because they just click on Yes/Accept/OK to every dialog box and pop up.

    And lets be honest although im a LibreOffice user, those people who want macros in their docs won't switch away from MS Office no matter what Microsoft does with it, so they should just go ahead and make the security changes and be damned with the moaners who are complaining.

    1 0 Reply
    1. Zippy´s Sausage Factory
      Reply Icon
      Facepalm

      I've made a living from Office macros in the past (I was using them as recently as last week) and I do welcome this change.

      The number of people who just run things without thinking and then go "oh I thought it was all right to just click yes to all seventeen prompts to open 'ranzomware.pdf.jpg.png.exe.exe.exe' lol" just beggars belief...

      2 0 Reply
  5. dajames

    Macros

    That macros in Office documents cause security issues should be no surprise to anyone. These issues arise because the model is fundamentally broken -- the data and the program logic should have been made separate from the outset. That is: The macros should not have been stored in the same file as the data, but should have been made separate entities.

    That way it would have been possible to send the data (only) of an Office document by EMail (or any other way) in a file that would have been readable by Office on another machine, but only as a read-only document as the logic required for recalculation would have been absent. If you wanted the recipient to be able to alter the data you would have to ensure that the recipient also had access to the macro 'program' (which, in a corporate environment, would have been pre-installed by IT services, who would have checked what it did and protected it from subsequent alteration).

    Unfortunately, back in the day when Microsoft were pushing software to perform all these 'clever' tasks they had no concept whatever of security, and so lumbered us with a broken document/program model that has troubled us all ever since.

    1 4 Reply
  6. Nifty

    RDP really this insecure?

    "...the Remote Desktop Protocol (RDP), a feature of Microsoft Windows that allows somebody to use it remotely... It's a front door to your computer that can be opened from the Internet by anyone with the right password."

    You'd need to be on the same local network or have port forwarding set up. Not so much of an issue for home users. RDP bruteforcing could be a thing with malware hopping between machines on corporate networks, though even here, the tendency is to use an MS or company user ID for RDP. Isn't there already 2FA for that?

    7 0 Reply
    1. Trigun
      Reply Icon

      Re: RDP really this insecure?

      Yep. That quote sounded like something to scare the average non-techy person.

      3 0 Reply
    2. Mayday
      Reply Icon
      Windows

      Re: RDP really this insecure?

      I had a customer set up remote access for me. I heaved when they said “hey to get in, RDP to this public IP address and use your username and password”

      The box was sitting in the breeze with a public IP. This was given to me by a supposed IT guy. Who knows what else was happening to this poor box sitting on the internet with a public IP and no firewall. Let alone what would happen when this “trusted” box got compromised and the baddies could hop off from it.

      So there you go. It happens.

      In case you couldn’t rest in bed tonight and wanted to know the outcome, I asked the customer to remove this box and I never even logged into it.

      1 0 Reply
      1. Nifty
        Reply Icon

        Re: RDP really this insecure?

        When I first got cable internet, NTL supplied a modem with ethernet socket. To get it up and running I ran an ethernet cable directly to our PC. All working fine until I realised this was inconvenient. Bought a WiFi router shortly afterwards

        Sometimes I wonder: Was that PC sitting directly on the internet? As an aside, I called NTL once on a technical matter, mentioned the router and they said it was against policy for more than one computer to share the connection!

        0 0 Reply
        1. Mayday
          Reply Icon

          Re: RDP really this insecure?

          Was the PC Directly on the internet?

          Depends. Short version, if the PC did the PPP authentication (PPPoE), and the modem was a bridge then yes. If the modem itself was authenticating, and was routed and doing NAT then no.

          “Policy” has little to do with function. Although the scnenario you describe is probably a bridged modem forwarding PPP to the PC, which generally means one device can use the bridge.

          Edit: I was a few gins in when I wrote this so I’ll review it tomorrow morning.

          1 0 Reply
          1. Missing Semicolon Silver badge
            Reply Icon

            Re: RDP really this insecure?

            The original little blue boxes were just modems, no NAT. So yes, you needed a firewall on your Windows 98 machine to prevent it being mightily rogered.

            Which you could not download until you'd connected to the internet....

            (signed up to cable internet when it was still Mercury Communications)

            1 0 Reply
      2. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: RDP really this insecure?

        A few years ago my other half (who works in a private eucation establishment) had to access the main work system for said establishment from home. The way their IT deparement did that was to give her a CD with a saved rdp connection which pointed to their public IP and had the saved (domain) administrator password. She was most amused at the ranting that ensued when I saw how they'd done it....

        2 0 Reply
  7. Blackjack Silver badge

    It has been how long since Word 6.0? Maybe in a decade more they will make e-mail be plaintext by default.

    5 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like