PatchMicrosoft Office is ubiquitous among businesses, so it is not surprising that it is also one of the most common attack vectors for malware.  Macro viruses are a type of malware that makes use of the macro scripts that run in many programs within the MS Office Suite.  Last week, Microsoft delivered an update that allows organization admins to control the macro settings of files.

Macro based malware was almost completely abandoned years ago after Microsoft turned off the feature by default.  However, over the last couple year’s cybercriminals have started to use social engineering as a means to encourage users to re-enable the feature.  Cybercriminals will frequently send an email to a business under the guise of a client or even an employee within the company.  If the email attachment is opened, the user will be presented with a fake warning that the content cannot be viewed until they update their security settings.  If the user falls for the ruse, the program macros activate and can be used to either install malware directly or connect with other MS Office programs to further spread the malware.

Macros on their own are a valuable feature for many businesses.  Macros allow for the automation of many tedious tasks in programs like Excel, which would otherwise need to be performed manually.  Disabling macros entirely is a heavy-handed fix that as stated above, is easy to circumvent. This week, Microsoft has introduced a better solution to the problem: a group policy setting that administrators can use to disable macros on files obtained from untrusted locations.

The new setting is called, “Block macros from running in Office files from the Internet” and can be found in the group policy management editor under User Configuration in the “Trust Center”.  This new settings allows Admins to control the macro settings of each Office program individually.  Files downloaded from email or online sites can have their macro settings flagged automatically and restricted from use.  If a user attempts to open the file, they will receive the security message, “Macros in this document have been disabled by your enterprise administrator for security reasons.” The user won’t have an option to manually bypass the restriction.

Microsoft is urging companies to review the new security options present in this update and enable to the new macro blocking settings.  With the renewed popularity of macro viruses, it is a good first line of defense against infection and a welcome security addition from Microsoft.

– Richard Keene
IT Computer Support of New York
Webmaster and Lead Designer