Microsoft has resumed rollout of their new Office macro blocking system after the feature was mysteriously suspended a few weeks ago. But why? Microsoft hasn’t explained why they stopped the new macro blocks and their reason for restoring the feature is both incomplete and nonsensical.
The new system totally blocks Office documents with macros and appear to come from external (Internet) sources. Windows marks files with a Mark of the Web (MOTW) which stops Office (Word, Excel and PowerPoint) from opening the macro enabled document.
Hackers often fool people into infecting their computers by putting nasty code into Office documents and tricking them into unblocking the macro protections.
The new MOTW system prevents that by providing no option to run the macro – all you get is a warning “SECURITY RISK Microsoft has blocked macros from running because the source of this file is untrusted.”
The MOTW system has been tested since February 2022 when Office-Watch.com first explained it.
In early July 2022 started rolling out the new system then suddenly reversed course. The MOTW rollout was suspended with no explanation or clear notice.
Fast forward two weeks (to 20 July 2022) and the Office macro MOTW system is back on again. According to Microsoft the rollout has resumed.
Why the suspension?
Microsoft hasn’t properly explained either the decision to suspend MOTW checks nor why it’s been restored. This is all they will say …
“Based on our review of customer feedback, we’ve made updates to both our end user and our admin documentation to make clearer what options you have for different scenarios. For example, what to do if your users have files on SharePoint or files on a network share. ”
They then refer to their existing documentation for users and admins but WITHOUT explaining what has changed – beyond the two ‘for examples’.
- For end users, A potentially dangerous macro has been blocked
- For IT admins, Macros from the internet will be blocked by default in Office
Pull the other one
We’re supposed to believe that this whole thing was about a few changes in the documentation? As they say in Britain “Pull the other one”.
The web pages could have been updated (clarified) anytime without hassling customers with the sudden removal of a major new security system.
Either the suspended rollout was a major overreaction to some feedback or (more likely) there’s a lot more to this than Microsoft is prepared to admit.