Security advocates got a major win in February, when Microsoft announced that Office applications would finally block VBA macros by default. But Microsoft is backtracking. The VBA macros block, which was initially slated for June of 2022, no longer has a release date.
Update, 7/21/22: As reported by ‘Bleeping Computer,’ Microsoft has resumed blocking VBA macros by default in the Office Currents Channel. And when Office blocks a macro, it now shares a link explaining how to get around the block (plus an explanation for why macros are dangerous). This is to address negative user feedback during early tests.
Macros allow you to automate tasks within Office applications. You can use them to automatically fill out Excel spreadsheets using datasets, for example. But VBA macros are also a major vehicle for malware and phishing—they’re just hunks of code, and they’re often shared by strangers on the internet.
Microsoft began testing a VBA block in its “Currents Channel” last April. This block prevents macros from running until they’re saved to a “trusted location” and manually signed by a user. But Microsoft suddenly rolled back this block, citing user feedback.
Comments on Microsoft’s Tech Community forum indicate that the VBA macros block wasn’t effective. Some macros managed to work directly from email and web attachments, which defeats the whole purpose of this block. (Unfortunately, we can’t verify if this is true or not.)
According to Wenjun Gong, a Program Manager at Microsoft, the company will “provide another update when we’re ready to release again.” There’s a decent chance that the VBA macros block will return to the Office “Currents Channel” and eventually roll out to average users.