On July 8, Microsoft said it was rolling back blocking of Internet macros by default in Office. “Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability,” Microsoft said. That change affected Office applications – on devices running Windows – including Access, Excel, PowerPoint, Visio, and Word.
UPDATE: In a July 20, 2022 update, Microsoft said* that it was resuming blocking Visual Basic for Applications (VBA) macros by default across Office apps.
Microsoft Office macros are programming code and at least as vulnerable to abuse as other forms of programming. Malware written as Office macros and delivered in Office documents became so prevalent that Microsoft disabled Office macros by default many years ago.
However, you could still re-enable them, as malicious Office documents would prod you to do. Because some users took the bait and enabled the macros, in February Microsoft took the further step of disabling VBA macros obtained from the Internet. If you opened such a document, you would see this message:
As the error message indicates, the problem isn’t so much that the macro came from the Internet but that it came from an untrusted source. The announcement described a series of conditions under which Office would trust a macro, such as when IT had set a policy to do so, or if the macros were digitally signed with a certificate issued by a trusted certificate authority.
On July 8, Microsoft backed off this change, which went into effect with the June Current Channel Release. They must have received a lot of negative feedback, and on July 8, they announced:
"Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability. This is a temporary change, and we are fully committed to making the default change for all users.
Regardless of the default setting, customers can block internet macros through the Group Policy settings described in this article.
We will provide additional details on timeline in the upcoming weeks."
Microsoft intends to make this change happen. And there are good reasons for them to do so. Clearly the user experience of the first attempt at the change was inadequate.
Following the rules that Microsoft set for making Office trust legitimate macros is well within the capabilities of large organizations with sophisticated IT departments. The problems are likely to be primarily with SMBs and other small organizations which do not have and cannot afford sophisticated IT support.
The best way to create macros that will be trusted, even after Microsoft turns the screws on Office macro security, is to digitally sign them with a code signing certificate issued by a trusted certificate authority.
When issued by a public CA, these certificates cost hundreds of dollars. Larger organizations may have private CAs, such as Venafi Trust Protection Platform or Hashicorp Vault. Macros signed with certificates issued by such a private CA will only be trusted inside those organizations, which may be an added bonus. But if the document with the macros needs to be shared outside the organization, a public CA certificate will be required.
Microsoft is still paying for original sin of poor or non-existent security in earlier versions of Office. They allowed, even encouraged habits that have since been recognized as dangerous. Users always have an “if it ain’t broke, don’t fix it (especially if the fix will be expensive)” mentality and security restrictions usually come across as pure burden to users who don’t understand the potential of the vulnerability. An implementation of this restriction that will be painless to users inconvenienced by the first attempt will be a challenge.
* "We’re resuming the rollout of this change in Current Channel. Based on our review of customer feedback, we’ve made updates to both our end user and our IT admin documentation to make clearer what options you have for different scenarios. For example, what to do if you have files on SharePoint or files on a network share," Microsoft said in the July 20 update. See full Microsoft statement.