Microsoft rolls back default macro blocks in Office • The Register

2022-07-08 03:57:49 By : Mr. Jack zheng

Microsoft appears set to roll back its decision to adopt a default stance of preventing macros sourced from the internet from running in Office unless given explicit permission.

The software giant announced the change in February 2022 with a post that explained how macros written with Visual Basic for Applications are powerful, but offer a way for criminals to drop malicious payloads onto the desktop.

The potential for such attacks is hardly new. The infamous Melissa virus rampaged across the world's mail servers in 1999 thanks to malicious macros embedded in a Word document. Things got worse over the years, so in 2016 Microsoft upped the ante with a tool that allowed admins to define when and where macros were allowed to run. Microsoft also stopped running macros without first asking users if they really wanted to do so.

But the problem kept getting worse. So in February this year Microsoft decided to block macros by default in Access, Excel, PowerPoint, Visio, and Word, explaining that the change made Office "more secure and is expected to keep more users safe including home users and information workers in managed organizations."

Now the company appears to have reversed that decision.

A comment from a chap named Vince Hardwick noted that the default blocking of macros appeared to have been removed in the Current Channel for Office. Bleeping Computer appears to have spotted the thread before The Register.

A Microsoft staffer named Angela Robertson responded with the following:

Based on feedback received, a rollback has started. An update about the rollback is in progress. I apologize for any inconvenience of the rollback starting before the update about the change was made available.

Robertson did not discuss the feedback Microsoft has received that led to the change, but among the many comments on the original post announcing the block are complaints from users who took issue with the way macro blocking was implemented or lamented that it's effectively broken some useful systems they've built.

"Rolling back a recently implemented change in default behaviour without at least announcing the rollback is about to happen is very poor product management," he wrote.

"We've been scrambling to obtain a digital certificate for signing our VBA projects since I first became aware of the impending update in mid-June … then immediately after we've incurred that expense and got things working again in the least inconvenient way for our customers, Microsoft just flip a switch without telling anybody? You've got us jumping from one foot to the next and having to second guess what the next volte face is going to be."

The Register has asked Microsoft to confirm the reversal of the default macro block, and to explain why it did not announce it publicly. We'll update this story if we receive a substantive response. ®

Microsoft has created a window of time in which its partners can – without permission – create new roles for themselves in customers' Active Directory implementations.

Which sounds bonkers, so let's explain why Microsoft has even entertained the prospect.

To begin, remember that criminals have figured out that attacking IT service providers offers a great way to find many other targets. Evidence of that approach can be found in attacks on ConnectWise, SolarWinds, Kaseya and other vendors that provide software to IT service providers.

Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

"Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

Microsoft cloud lieutenant Tom Keane is departing the megacorp where he has spent the past 21 years in various senior roles. He is heading for the exit a month after featuring in a report about the toxic culture among company execs.

Keane, a corporate Vice President at Microsoft, started out in the Consulting Services division in 2001 before becoming group engineering manager for the System Center and then taking on the same role for Office 365.

From late 2012 until November last year, Keane was Azure corporate veep and head of global infrastructure, industry clouds, and data sovereignty. He oversaw thousands of engineers, product managers, and data scientists overseeing Microsoft's datacenter estate internationally.

Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

Microsoft has indefinitely postponed the date on which its Cloud Solution Providers (CSPs) will be required to sell software and services licences on new terms.

Those new terms are delivered under the banner of the New Commerce Experience (NCE). NCE is intended to make perpetual licences a thing of the past and prioritizes fixed-term subscriptions to cloudy products. Paying month-to-month is more expensive than signing up for longer-term deals under NCE, which also packs substantial price rises for many Microsoft products.

Channel-centric analyst firm Canalys unsurprisingly rates NCE as better for Microsoft than for customers or partners.

Microsoft is extending the Defender brand with a version aimed at families and individuals.

"Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."

The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.

Microsoft has opened its wallet once more to pick up New York-based cyber-threat analyst Miburo.

Founded by Clint Watts in 2011, Miburo is all about the detection of and response to foreign (in the context of the US) information operations. The team is to be folded into Microsoft's Customer Security and Trust organization and the work of its analysts is to be fed into the Windows giants' threat detection and analysis capabilities.

"Miburo," said Microsoft, "has become a leading expert in identification of foreign information operations." Its research teams have hunted out some nasty influence campaigns over 16 languages.

Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

The Register - Independent news and views for the tech community. Part of Situation Publishing

Biting the hand that feeds IT © 1998–2022

utton>