With great power comes great responsibility. Wait. How does Spider-Man fit into this? Microsoft gave Microsoft Office almost unlimited control over the system via macros otherwise known as visual basic for applications (VBA) in order to extend the capabilities of Office. This enabled Office to become the premier office suite for computers because it made the software ultra-flexible. Businesses had the option of programming MS Office instead of purchasing off-the-shelf or expensive business software.
This power came at a price. VBA had as much power over the system as Visual Basic itself did. VBA can update the Windows registry, scan a user’s Outlook contact list, connect to an internet website and execute a link. Malware programmers immediately took advantage of this and cooked up viruses, worms, Trojans and worse, ransomware. Macros don’t need to do all the work; they could just edit the Windows registry and download other components to complete a malicious system. I read a great Star Trek series of books called Double Helix wherein a combination of prions when put together created a lethal virus thus making the mode of transmission almost untraceable. Prions are infectious agents similar to viruses but made up of mostly protein. Mad Cow Disease is an example of prion infection. In short, an office macro can act as a component prion and download other components to create a virus virtually untraceable by security software.
Microsoft made a stop-gap solution by disabling macros by default. Office documents with macros ask the user whether or not to enable them. Sensible users ask their IT first before responding ‘Yes’ or sensible developers properly document their macro-enabled documents making users aware of the extra features of their documents. That is not true for many small to medium sized businesses and households. Busy workers won’t let some lousy yellow bar prevent them from seeing what’s inside their word document or spreadsheet and will always respond ‘Yes’ and open up the system like a can of worms. Many of the most dangerous malware out there are loaded and run by unsuspecting users through macro-enabled Office documents. Thankfully that era has finally ended as some genius in Microsoft finally thought to take the decision of running macros out of users’ hands and into the hands of system administrators who have the greater responsibility. Microsoft included the ability to run macros to system administrators as part of the network’s group policy.
Users often wondered why Microsoft haven’t removed its macros feature from Microsoft Office if it’s one of the major vectors of malware. Microsoft could instead create a poll of the top 500 functions macros are used for and incorporate them in Office and stomp out macros completely. That approach could probably leave out the bottom 9,500 reasons to use macros and piss off thousands of companies.
But Microsoft’s current approach is just as good. No user can enable any macro-laden documents without asking their system administrators who know better. And sensible administrators hopefully wouldn’t give their executives superuser/administrator status thus spreading malware from the top-down. After years and years of spreading malware through Office macros, malware authors will now have to phish in bluer waters.
However, this new feature only applies to Office 2016. Owners of earlier versions remain vulnerable to macro-based attacks until they upgrade. This could also be an income generating strategy for Microsoft to get their users to get the latest version of Office and even Windows 10. There are still holdouts of Office 2003 due to resistance to the ribbon interface.
“The enduring appeal for macro-based malware appears to rely on the likelihood to enable macros… Previous versions of Office include a warning when opening documents that contain macros, but malware authors have become more resilient in their social engineering tactics, luring users to enable macros in good faith and ending up infected.”
–Microsoft Blog post
Examples of clever macro attacks include the infamous “I Love You” virus which infected millions of computers worldwide and spread like wildfire. Who wouldn’t want to open an email with that subject coming from a friend or colleague? Just recently, millions of computers were infected by the macro-based Lockey ransomware which disguised itself as some kind of scrambled invoice to be paid. Business-centric users were likely to open the email and enable the macro of the attached word document promising a better view of the garbage displayed instead of an invoice. Victims ended up having their files encrypted and can only open them by paying the authors in bitcoin.
Hopefully, this new feature trickles down to earlier office versions if Microsoft is sincere in its malware-busting efforts or maybe until they reach some sort of quota.