Microsoft rolls back default macro blocks in Office without telling anyone Microsoft appears set to roll back its decision to adopt a default stance of preventing macros sourced from the internet from running in Office unless given explicit permission. The software giant announced the change in February 2022 with a post that explained how macros written with Visual Basic for Applications are powerful …
Unless you know the state of your infrastructure, you cannot secure it, and real security has to be accomplished locally by you - not devolved on third parties that don't know (nor indeed care about) your business exposure..These are fundamental principles that we (and, clearly, the vendors we rely on) ignore at our peril.
Our corporate IT department does little more than migrate everything to Office 365/Azure, relay release notes to the company and, when something doesn't work, say they informed MS about it and shrug.
And to be honest, they probably like it that way. They're not really responsible for anything any more.
You've never read the Terms & Conditions you agree to, have you? They could demand your first born in there and nobody would notice, but every agreemens ever since the invention of the click-to-apree concept has declared the supplier totally free of blame for whatever cockup they stick in their code next, and Microsoft has of late been fully taking advantage of that. Just the cockup with Quick Assist alone is enough to convince anyone that they are now deliberately going out of their way proving that they can get away with just about anything,
Personally I think those Terms ought to be banned for any company over a certain annual income.
[quote]
Unless you know the state of your infrastructure, you cannot secure it, and real security has to be accomplished locally by you - not devolved on third parties that don't know (nor indeed care about) your business exposure..These are fundamental principles that we (and, clearly, the vendors we rely on) ignore at our peril.
[/quote]
Correct. Nobody can say in 2022 that they didn't know that macros are a threat, and I for one wouldn't trust Microsoft to secure my bicycle.
Because it's not your computer anymore.
Companies these days have the attention span of goldfish. Oh, a new idea ! Let's implement without thinking about its impact !
And we need to implement agile, because that means we're professionals !
Our society has completely lost the notion of stability and continuity.
I don't see that changing any time soon.
More like “Ag Hoc”
Let’s tell everyone we’re agile.. we’ll demonstrate this by having a 15 minute morning standup which will go for over an hour, but we shan’t deeply CI/CD or Devops practices but in reality but demand timelines, Gantt Charts and due dates so it still looks like we (project managers, bean counters etc) are still relevant.
One might suspect that Microsoft's left hand does not know what Microsoft's right hand is doing, and both are completely disconnected from the brain (which is busy calculating revenue, stock price, and executive bonus amounts)
There's little left to be done to Office in the way of improved functionality, so the last fifteen years have been feature churn.
Manglement has an attention span that is much shorter than a goldfish, much, much shorter. Their collective IQ is < 0.
My main beef with manglement is the tendency to be credential happy and not pay attention to details like a willingness to learn and grow professionally.
Their collective IQ is
The IQ of a crowd can be calculated by taking the lowest IQ value of those present and dividing by the number of the crowd.
Given the IQ of the British Standard Middle Manager and the size of most management groups I suspect that your guess is not far off..
That's ok - I'm happy with Excel 2010 running my useful local macros
However - there seems to be no way to stop a banner repeatedly appearing telling me I should buy an updated version of Office. At some point I would not be surprised if Microsoft decided to "help" me by stopping my VBA working at all.
In the old days, I had an entire federal department managing thousands of assets via an Access file + VBA application.
Using VBA significantly lowered the time I would spend setting up servers, databases, etc.. to create the application in a few days, and once you showed some workers they "just had to open a document" and the application would start to run, things became really simple and speedy in the office.
Now it makes me wonder how many of these legacy systems are still in use nowadays.
Really tired of MS creating exploits for the hell of it.
But I guess I can understand, it's one of the top 10 most hated companies in the world. Which means a lot of insiders hate them too, and those insiders with all that hate just make it worse. Ohhh look we can make this file type run code from the web without people knowing it - coolzeees, lets add that to every office app....... and flip it on and off and on just to listen to people scream.
Yes, VBA is exploitable! So is JavaScript via NPM! So are a lot of things. If your creating these things, or If they were created in the past and you just HAVE to have them then pay for the cert and code sign them! Don't pass the blame to MS, it is YOUR responsibility and if management is unwilling to pay for the cert the they take the risk! All this is doing is delaying the inevitable! MS WILL remove this functionality by default and only signed macros will work!
Probably the people developing exploits that depend on this function.
You can secure a system or protocol all you want. But then you will receive a call from that one poor single mother. With the children crying and dogs barking in the background. And the landlord is on his way to evict the whole bunch. If only you'd switch some setting on or off, all these problems would go away. And so, as the big-hearted person you are, you do. And then they've got your corporate network. Sometimes you just have to be an *sshole.
"Do not redeem the card!"
If you are creating these macros for business purposes and you have not been code-signing them that's on you! You should have been doing this a long time ago.
Macro enabled office documents should be blocked from email EVEN within the organization. They should only be accessible over other resources such as network shares and they MUST be code signed! Security is YOUR responsibility! Yes it cost money!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
