[AccessD] Microsoft Office default change – Blocking VBA macros in files from the internet

James Button jamesbutton at blueyonder.co.uk
Fri Feb 11 07:54:35 CST 2022 

Agreed 
Only allow macros to run from trusted sources.
Problem is it only takes 1 disgruntled person to add an on-event action.

I used to be able to do checking of  macro and event code.
 
I now work on the basis that - any files with macro capability that comes from a 'trusted' supplier gets  the macros  stripped - and then the checked versions that were sent as a .txt file  macros  from  that source get imbedded (imported.
The difficulty for most 'users' being that :
1) They do not read and understand VBA.
2) They do not understand about on event coding.
3) They do not have easily usable - and safe to use sandbox or VM  facilities.

Then they get the software suppliers approach - "No links or code", or "allow everything" - see the actions offered  with web sourced Office and .PDF files.

If I get a question from someone to whom I provide 'support' and advice, as to what to do about a "from the internet" message 
such as "Enable Content" when a file contains links to data  - as in get this value - not run this script.
What can I tell them now?
OK - the file is an .xlsx  so you can enable content -  - and then they have the default setting where the file "your monthly data corrected.xlsx.xlsb"
gets shown to them as being "your monthly data corrected.xlsx"

And  then there is the simple "Enable Edit"   has to be allowed if the user wants to see columns of data on worksheets  where the sender has closed the rows or columns to zero height, or width.

Basically , it seems to me that organizations such as MS  are determined to stop users being able to be careful about what happens on their systems.
And - considering the response I recently saw to the MS will force updates on users - so system backups are your friend:
 Yes - you can take a backup of the system when you get asked for permission to install software 

Problem is if the change is awaiting a restart to complete the install,  any restore of that system will complete the install as part of the first startup.
And if just wanting permission do download - well  the restored system will go to the MS site, find the outstanding fixes, and ask  for that permission.
And ..
As I found when I stopped the application of fixes other than security ones  so I could have a stable system for a project creation, and proving period, 
I eventually got a (Not from MS honest  response from MS support!) message saying updated need installing - with the only option being [Proceed]
And no response from the keyboard, or mouse access to anywhere else on the screen that that panel. 
My fault - 
I had stopped updates being applied for longer that the allowed period!
The system required that I let it contact the outside world  and inquire of MS if there were fixes !
Doing that   immediately got the message and system lockup to stop occurring.

My approach would be that I would NOT run any MS OS, or software,  
BUT 
That is not a viable approach for anyone providing facilities to almost all corporates


JimB




-----Original Message-----
From: AccessD <accessd-bounces+jamesbutton=blueyonder.co.uk at databaseadvisors.com> On Behalf Of Bill Benson
Sent: Friday, February 11, 2022 2:45 AM
To: Access Developers discussion and problem solving <accessd at databaseadvisors.com>
Cc: DBA-Tech (dba-tech at databaseadvisors.com) <dba-tech at databaseadvisors.com>
Subject: Re: [AccessD] Microsoft Office default change – Blocking VBA macros in files from the internet

I wrote a macro that removed internet zone info from files. I thought it
was cool and offered it to people in my firm but they didn’t seem to
appreciate it. Then even I stopped using it. Reason:  no one (or very very
few) gets MS Office files from the internet.

I think that is the best defense, do business with those you trust, have
good contracts in place.

I suppose there are some who can’t avoid interacting with macro workbooks
from untrustworthy (or not known to be trustworthy) sources. But if so,
should thoroughly test such files out beforehand if possible. Because
really, what business does someone have running macro code they know
nothing about if the source isn’t proven trustable?

On Thu, Feb 10, 2022 at 9:37 PM John Bartow <jbartow at winhaven.net> wrote:

> Thought you may be interested in this news release:
>
> https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805
>
>
> https://docs.microsoft.com/en-us/DeployOffice/security/internet-macros-blocked
>
> John B
> --

More information about the AccessD mailing list