I wrote previously about Microsoft's plan to block all macros (VBA) in Office files from untrusted locations (e.g., downloaded from the web or attached to emails):
Microsoft briefly backtracked, before re-implementing the plan. The change has already been rolled out to users on the Preview and Current channels of Microsoft 365. This change is headed to Enterprise customers next, with the first Enterprise channels being updated on October 11, 2022.
Here's the full timeline from Microsoft:
|Current Channel (Preview)
|Started rolling out on April 12, 2022
|Started rolling out on July 27, 2022
|Monthly Enterprise Channel
|October 11, 2022
|Semi-Annual Enterprise Channel (Preview)
|October 11, 2022
|Semi-Annual Enterprise Channel
|January 10, 2023
Mark of the Web
As a reminder, Office uses the so-called "mark of the web" to flag files as "potentially unsafe." For more information about this, check out my articles: Details about the Mark-of-the-Web (MOTW) and Mark of the Web (MOTW) Support Among Zip Utilities.
The Very Real Danger of Malicious VBA...
As much as this new policy is inconvenient, malicious VBA in Office files is a very real and very common threat.
...And the Unintended Consequences of Misguided Policy
Whether Microsoft's new approach will be better than their old one remains to be seen.
I have a sneaking suspicion that a bunch of users out there will just make their Downloads directory a "Trusted Location." Which means that suspicious files they download from the internet in the future won't even come with the old warning before the code starts executing. Sure, most users probably just clicked through the old yellow warning without even reading it. But for users who work around the more aggressive VBA blocking scheme by trusting their Downloads folder, they won't even get that visual reminder that the file they are opening might be a problem.
My prediction: within the next twelve months, users won't be allowed to mark their Downloads folder as a trusted location.
To quote Rick Cook:
“Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.”
Your move, Universe.