“Seemingly 50-50 decisions made by product managers at application and platform providers can expose their customers to extraordinary risk,” Tavakoli said. “There could be some minor disruption for the heavy duty Excel and Word automation community, which Microsoft will no doubt pick up the cost of support for.”Īn important but under-appreciated aspect of cybersecurity is that “defaults matter – and sometimes matter a lot,” said Oliver Tavakoli, chief technology officer at Vectra, in an email. “This potentially shifts the focus of attackers to have to actively dupe users into downloading and running the payload.” ‘Defaults matter’Īs the security industry is seeing a shift to credential compromise via email, “Microsoft should be commended for making this the default position,” Barratt said. “This is a really positive step from Microsoft to make the switch,” said Andrew Barratt, vice president for technology and enterprise at Coalfire, via email.
#How to disable macros word 2013 update#
Later, the change will be available in the other update channels, such as Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel.Īt a future date to be determined, we also plan to make this change to Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013.Ĭybersecurity executives applauded the move in comments to VentureBeat today - though some suggested that Microsoft should’ve acted sooner. The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022. Here are the additional details on the change provided by Microsoft in its blog post: “Blocking macros by default is a good move, at the cost of inconvenience, and can potentially protect a user from ransomware or data loss,” Kelly said.
#How to disable macros word 2013 code#
Macros are “easy to code and run with the current users’ permissions,” he noted. VBA macros “have been a target for hackers for over two decades,” said Ray Kelly, fellow at NTT Application Security, in an email to VentureBeat. Microsoft’s move to disable macros by default “is a great step to stop initial access by malicious office documents,” wrote Greg Linares, research engineer at eEye Digital Security, on Twitter. With the change, a message bar with a “learn more” button will now appear to notify users, the company said. “The default is more secure and is expected to keep more users safe including home users and information workers in managed organizations.” “For macros in files obtained from the internet, users will no longer be able to enable content with a click of a button,” Microsoft said. The change will cover the three most-used Office apps - Word, Excel, and PowerPoint - as well as Access and Visio. Thus, “VBA macros obtained from the internet will now be blocked by default,” the company said. “For the protection of our customers, we need to make it more difficult to enable macros in files obtained from the internet,” Microsoft said in the post. In announcing the upcoming plan to disable all macros by default, Microsoft cited the many challenges that security professionals are currently facing - including cloud migrations, securing remote workers, and the ongoing pandemic. MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.