Skip to main content
banner image
venafi logo

Microsoft Backs Off Internet Office Macro Ban [Update]

Microsoft Backs Off Internet Office Macro Ban [Update]

July 13, 2022 | Larry Seltzer

On July 8, Microsoft said it was rolling back blocking of Internet macros by default in Office. “Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability,” Microsoft said. That change affected Office applications – on devices running Windows – including Access, Excel, PowerPoint, Visio, and Word.

UPDATE: In a July 20, 2022 update, Microsoft said* that it was resuming blocking Visual Basic for Applications (VBA) macros by default across Office apps.

Take Control of Your Machine Identities With Automation and Eliminate Outages.
Microsoft disabled macro years ago by default

Microsoft Office macros are programming code and at least as vulnerable to abuse as other forms of programming. Malware written as Office macros and delivered in Office documents became so prevalent that Microsoft disabled Office macros by default many years ago.

However, you could still re-enable them, as malicious Office documents would prod you to do. Because some users took the bait and enabled the macros, in February Microsoft took the further step of disabling VBA macros obtained from the Internet. If you opened such a document, you would see this message: 

As the error message indicates, the problem isn’t so much that the macro came from the Internet but that it came from an untrusted source. The announcement described a series of conditions under which Office would trust a macro, such as when IT had set a policy to do so, or if the macros were digitally signed with a certificate issued by a trusted certificate authority.

On July 8, Microsoft backed off this change, which went into effect with the June Current Channel Release. They must have received a lot of negative feedback, and on July 8, they announced:

"Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability. This is a temporary change, and we are fully committed to making the default change for all users.

Regardless of the default setting, customers can block internet macros through the Group Policy settings described in this article.

We will provide additional details on timeline in the upcoming weeks."

Microsoft intends to make this change happen. And there are good reasons for them to do so. Clearly the user experience of the first attempt at the change was inadequate.

Following the rules that Microsoft set for making Office trust legitimate macros is well within the capabilities of large organizations with sophisticated IT departments. The problems are likely to be primarily with SMBs and other small organizations which do not have and cannot afford sophisticated IT support.

Best way to create trusted macros

The best way to create macros that will be trusted, even after Microsoft turns the screws on Office macro security, is to digitally sign them with a code signing certificate issued by a trusted certificate authority.

When issued by a public CA, these certificates cost hundreds of dollars. Larger organizations may have private CAs, such as Venafi Trust Protection Platform or Hashicorp Vault. Macros signed with certificates issued by such a private CA will only be trusted inside those organizations, which may be an added bonus. But if the document with the macros needs to be shared outside the organization, a public CA certificate will be required.

Microsoft is still paying for original sin of poor or non-existent security in earlier versions of Office. They allowed, even encouraged habits that have since been recognized as dangerous. Users always have an “if it ain’t broke, don’t fix it (especially if the fix will be expensive)” mentality and security restrictions usually come across as pure burden to users who don’t understand the potential of the vulnerability. An implementation of this restriction that will be painless to users inconvenienced by the first attempt will be a challenge.



* "We’re resuming the rollout of this change in Current Channel. Based on our review of customer feedback, we’ve made updates to both our end user and our IT admin documentation to make clearer what options you have for different scenarios. For example, what to do if you have files on SharePoint or files on a network share," Microsoft said in the July 20 update.  See full Microsoft statement.

Related Posts

Microsoft Signed Rootkit Malware That Spreads Through Gaming

Why Sign Code? [Hint: Prevent Access to Unauthorized Software]

Did the Cloud Provide Safe Haven in the Ukraine-Russia Cyber War? [Microsoft Perspective]

Like this blog? We think you will love this.
Featured Blog

With Rapid Rise in Funds Stolen from DeFi Protocols, Private Keys in Play

Massive heist begins with

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Larry Seltzer
Larry Seltzer

Larry Seltzer, Technical Content Writer, Venafi

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more