Microsoft confirmed Friday that it has begun undoing one of its biggest recent moves for improving the cybersecurity of its products and customers.
A representative for the tech giant said a "rollback" has started on a measure to block Visual Basic for Applications (VBA) macros in Office — which have been exploited by cyberattackers to deliver malware for decades — by default. The measure was widely applauded by security professionals after it was announced in February.
Now, many of those same security practitioners are questioning Microsoft's reversal on blocking Office macros.
"The single most impactful change Microsoft could have made to radically improve a real world cybersecurity issue in their own back garden (that they directly profit from) was rolled back without even being communicated," well-known security professional Kevin Beaumont said on Twitter.
The decision by Microsoft, which was first reported by Bleeping Computer on Thursday, was confirmed by two Microsoft representatives on the Microsoft 365 blog post that originally announced the macro-blocking measure.
The Microsoft representatives both said that the decision was made "based on feedback." Microsoft did not immediately respond to an email from Protocol on Friday.
Microsoft has been blocking VBA macros by default in five Office apps. Those include the three most widely used apps — Word, PowerPoint and Excel — and Visio and Access.
As of this writing, it's unclear whether the reversal is meant to be permanent or if Microsoft might bring back macro-blocking in Office in another form. Lots of companies use Office macros to automate parts of their business processes, and blocking those macros could have broken customer workflows.
"[W]e’re working to make improvements in this experience. We’ll provide another update when we’re ready to release again to Current Channel," one of the Microsoft representatives said in a comment on the blog post.
Malicious macros in Office documents have been blamed for nearly half of all mechanisms for malware delivery in the past.
"Looks like Microsoft has blessed us all with more job security," security researcher Marcus Hutchins said on Twitter in response to the rollback.
Microsoft's initial disclosure on the rollback was provided to administrators in the Microsoft 365 message center on Thursday, according to Bleeping Computer. A comment from an admin on the Microsoft blog post suggests the rollback had taken effect at least as early as Wednesday.
Climate TRACE's data show emissions at the facility-level.Image: Climate TRACE