{"id":20854,"date":"2022-02-09T17:59:54","date_gmt":"2022-02-09T17:59:54","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=20854"},"modified":"2022-02-09T17:59:54","modified_gmt":"2022-02-09T17:59:54","slug":"microsoft-blocks-vba-macros-msix-protocol","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/applications\/microsoft-blocks-vba-macros-msix-protocol\/","title":{"rendered":"Microsoft Blocks VBA Macros by Default, Temporarily Shuts Down MSIX Protocol"},"content":{"rendered":"

Microsoft is shutting a couple of security holes, including one that has been a favored target of attackers for years and another that the enterprise software giant recently learned could be exploited to install a malicious package.<\/p>\n

At the same time, the federal government is now adding another Microsoft flaw to its list of known vulnerabilities<\/a>, giving federal agencies until Feb. 18 to patch a bug in all unpatched versions of Windows 10 and urging private and commercial organizations to remediate all flaws listed in its Known Exploited Vulnerabilities Catalog<\/a>.<\/p>\n

In its alert<\/a>, the Cybersecurity and Infrastructure Security Agency (CISA) said the decision to add the flaw \u2013 tracked as CVE-2022-21882<\/a> \u2013 was \u201cbased on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\u201d<\/p>\n

\u201cIt appears CISA added this as due diligence, rather than because the attack is a high threat,\u201d Mike Parkin, an engineer at cybersecurity vendor Vulcan Cyber, told eSecurity Planet<\/em>. \u201cMicrosoft’s explanation indicates that the attack requires local access and is of high complexity, both of which reduce the likelihood of it being widely used in the wild.\u00a0Patches are available and they should be deployed as part of any organization’s standard maintenance procedure.\u201d<\/p>\n

Also read: Best Patch Management Software<\/a><\/p>\n

Disabling VBA Macros<\/strong><\/h2>\n

One of the moves Microsoft officials announced this week is the plan to block Visual Basic for Applications (VBA) macros by default in a range of Office applications. The change is directed at VBA macros obtained from the internet. Users will no longer be able to enable certain content by a simple click of a button. If they try, a message bar will appear directing them to learn more about the situation.<\/p>\n

\u201cThe default is more secure and is expected to keep more users safe including home users and information workers in managed organizations,\u201d Kellie Eickmeyer, a principal program manager at Microsoft, wrote in a blog post<\/a>. \u201cFor years Microsoft Office has shipped powerful automation capabilities called active content, the most common kind are macros. While we provided a notification bar to warn users about these macros, users could still decide to enable the macros by clicking a button.\u201d<\/p>\n

Threat actors can send macros in Office files to users who could easily enable them, causing malicious payloads to be delivered.<\/p>\n

\u201cThe impact can be severe including malware<\/a>, compromised identity, data loss, and remote access,\u201d Eickmeyer wrote.<\/p>\n

The change is part of a recent pattern by Microsoft, which has begun taking security into its own hands, as users can be slow to install critical patches (see Microsoft Makes Exchange Server Patches Less Optional<\/a>).<\/p>\n

Security By Default<\/strong><\/h2>\n

The change will begin rolling out in Version 2203, starting with the preview of Current Channel in early April and later in other update channels, such as Current Channel, Monthly Enterprise Channel and Semi-Annual Enterprise Channel. It will impact Office on devices that are running Windows and affects Access, Excel, PowerPoint, Word and Visio.<\/p>\n

Security professionals applauded Microsoft\u2019s decision.<\/p>\n

\u201cOne of the important but underappreciated aspects of cybersecurity is that defaults matter \u2013 and sometimes matter a lot,\u201d Oliver Tavakoli, CTO at cybersecurity firm Vectra, told eSecurity Planet<\/em>. \u201cSeemingly 50-50 decisions made by product managers at application and platform providers can expose their customers to extraordinary risk. As the example of VBA macros demonstrates, once such a choice has been made, it\u2019s a difficult and lengthy process to change the default to something more secure as the fear of breaking things creates a form of institutional paralysis.\u201d<\/p>\n

The equation is a simple one, Tavakoli said: \u201cLeave features which may have security implications off by default and let customers choose whether the benefit of the feature outweighs the security risk of having it on.\u201d<\/p>\n

Overdue Security Change<\/strong><\/h2>\n

Ray Kelly, a Fellow at NTT Application Security, told eSecurity Planet<\/em> that \u201cVBA macros have been a target for hackers for over two decades, easy to code and run with the current users\u2019 permissions. Blocking macros by default is a good move at the cost of inconvenience and can potentially protect a user from ransomware<\/a> or data loss.\u201d<\/p>\n

Jon Gaines, senior application security consultant at nVisium, noted that for red teams at many organizations, macros have been a useful tool in security training. He also dinged Microsoft for taking too long to disable VBA macros.<\/p>\n

\u201cMacros have been a threat to Office users for many years,\u201d Gaines told eSecurity Planet<\/em>. \u201cGood on [Microsoft] for finally implementing this, but I don’t think it gets end users out of danger completely. It’s important to note that this only affects Office files downloaded from the internet, which have already had a\u00a0warning if it contains a macro at this time. However, making it more than one click to execute the macros is a great step.\u201d<\/p>\n

\"VBA<\/p>\n

Also read: Top Secure Email Gateway Solutions<\/a><\/p>\n

Temporary Shutdown for MSIX<\/strong><\/h2>\n

Late last week, Microsoft also announced it was temporarily turning off the MSIX ms-appinstaller protocol handler in its Windows AppX Installer after learning that a security flaw was being exploited by cybercriminals to deliver such malware as Emotet<\/a> (a Trojan spread via emails), TrickBot (a banking Trojan) and Bazaloader (which can result in stolen data or ransomware).<\/p>\n

In a blog post<\/a>, Dian Hartono, a program manager at Microsoft, wrote that the vendor learned an attacker could spoof App Installer to install a package that a user didn\u2019t want to install. The vulnerability is being tracked as CVE-2021-43890<\/a>.<\/p>\n

\u201cWe are actively working to address this vulnerability,\u201d Hartono wrote. \u201cFor now, we have disabled the ms-appinstaller scheme (protocol). This means that App Installer will not be able to install an app directly from a web server. Instead, users will need to first download the app to their device, and then install the package with App Installer. This may increase the download size for some packages.\u201d<\/p>\n

With the MSIX app package, some legacy Windows applications can get \u201cmodern packaging and deployment features,\u201d giving enterprises a way to ensure their applications are up-to-date and ensure an easy installation process.<\/p>\n

\u201cThe ms-appinstaller protocol handler was introduced to enable users to seamlessly install an application by simply clicking a link on a website,\u201d Hartono wrote. \u201cWhat this protocol handler provides is a way for users to install an app without needing to download the entire MSIX package. This experience is popular, and we are thrilled that it has been adopted by so many people today.\u201d<\/p>\n

The protocol will be re-enabled after ensuring it is secure. Microsoft is considering bringing in a group policy that will enable IT administrators to re-enable the protocol and control its use inside their organizations.<\/p>\n

Read next: Top Vulnerability Management Tools<\/a><\/p>\n\n\n

\n \n\n \n\n
\n \n <\/path>\n <\/svg>\n <\/div>\n \n
\n
\n

\n Get the Free Cybersecurity Newsletter <\/h3>\n \n \n

\n Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday <\/p>\n <\/div>\n\n

\n
\n \n Email Address\n <\/label>\n \n <\/div>\n\n
\n
\n \n \n By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time. <\/label>\n <\/div>\n <\/div>\n \n