Security vs Functionality: Microsoft Office
Microsoft Office is the lynchpin of many businesses. Not even Google have been able to displace its position as a corporate standard. In part, that is due to its versatility. The sheer number of features means that it can be adapted by anybody for any requirement. Companies of all shapes and sizes rely on Excel for critical processes and functionality.
My own employer is no different in this respect. We use Excel for everything from task logs through to project plans and client billing. Sure there are specialist tools that can do all these things. We even use them alongside Excel. However, few specialist tools are as easy to use as the humble spreadsheet.
We track project budgets in our project management tool. There are dashboards in this system that account managers and consultants use to ensure we stick to both time and budget. However, these reports can't be shared with clients. We can export them, but the numbers and layout aren't in the correct format for a client to understand. Producing a client budget reconciliation used to require exporting multiple reports and hours of manual Excel manipulation. A few years ago, one of our data analysts automated the entire process using an Excel macro. This saved weeks of time for everyone, allowing clients to see budget utilisation in real time for the first time.
In June, Microsoft rolled out an immediate ban on VBA macros in Microsoft Office. This only rolled out to the consumer version of the product, but even that caused a considerable backlash from businesses that use Macros for core business processes. The ban on macros was lifted a month later. Security professionals were not happy about the change; knowledge workers had a very different perspective.
The new restrictions only ever applied to macros in files downloaded from the web. Files in trusted network locations and macros signed by a security certificate were also still permitted, regardless of the source of the file. This follows a long term trend towards restricting access to files shared online. Microsoft have included security warnings about macros for years. Users have to enable them separately after opening the file. The new block changed this behaviour so that the option to enable macros was removed from downloaded files.
Microsoft are still happy for businesses to use Macros in Office, but only in trusted files developed by dedicated developers on behalf of users. This balances the benefits associated with Office macros against the risks they bring. If such files are stored in a central location, then that removes the risk associated with macros. The ultimate idea is that office macros should be subject to the same development, review and distribution processes as software applications.
One such expectation is that files containing macros should be digitally signed using a code signing security certificate. For large companies with dedicated developers such a requirement can be considered reasonable. Code signing certificates are already used for distributing desktop software. Reusing the same certificates for Office macros is not a big ask for enterprise IT. Even if it was, large organisations generally have dedicated infrastructure for issuing and managing internal security certificates.
Instead, it's the legion of smaller companies that are most challenged by macro restrictions. However, they're also the people suffering from the problems that motivated a crackdown on macros in the first place. Macros are an extremely powerful tool, but that power opens up significant security vulnerabilities in Microsoft Office. That's because they allow Office to interact with other programs, as well as the user's PC. This exposes the underlying operating system to an application that was not designed to have that level of access, risking unauthorised access and unwanted privilege escalation vulnerabilities.
Sending booby-trapped office documents is a common virus or ransomware tactic. These documents will contain macros that infect the user's PC when run, exploiting any security vulnerabilities that exist within Office. In theory, these types of attacks shouldn't work. Microsoft changed the defaults for downloaded documents years ago. Users have to explicitly enable macros on such documents, bypassing multiple security warnings. However, many office workers still fall for such scams despite mandatory security training in most companies.
These are the loopholes that security professionals are trying to close. They want Microsoft to remove macro functionality from Office, so that such attacks are no longer possible. That isn't happening. However, users will find it increasingly difficult to use macros as time goes on. The reversed security changes are being re-implemented from next week. Microsoft just wanted to find a better way of presenting them.