Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2016-08-15 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC Stormcast For Tuesday, August 16th 2016 http://isc.sans.edu/podcastdetail.html?id=5125

MS Office 2013 - New Macro Controls - Sorta ...

Published: 2016-08-15
Last Updated: 2016-08-15 14:00:56 UTC
by Rob VandenBrink (Version: 1)
9 comment(s)

I was trolling through the readme's for the latest batch of patches from Microsoft, and found this tidbit in the doc for MS16-099 (https://support.microsoft.com/en-us/kb/3177451):

Administrator can use the Group Policy to block running any macro in the files that are download from the Internet in Office 2013 applications. This feature is same as in Office 2016 applications. See the following articles for more information:

 
A quick check immediately followed, I don't see any new registry keys that allow this control.  HKCU\Software\Microsoft\Office\15.0\Word\Security  Shows only the previous "Trusted Documents" and "Trusted Locations" branches.  No problem though, it's very common for registry keys to not be present until you add them. (a missing key is a default value).

Also, and more importantly, there are no corresponding updates to the Office 2013 ADMX files, so you won't be seeing any new settings in your group policy screen for Office 2013.

You can (and should) put these macro limit controls in for Office 2016, but as far as I can see, that's an entirely different branch in both Group Policy and in the Registry.  Office 2013 apps won't read Office 2016 settings, and vice versa.  So the Office 2013 settings you had 30 days ago are still the only ones that are easy to get to.

It's great to see where Microsoft is going with this, but I think we'll all need to wait for the other half of this update before we can use it effectively.

So I think the best advice still remains to use one of these two settings for Office 2013:

Disable all without notification:  If you don't use macro's in your organization, disable them and DON'T give your users the ability to bypass this setting.
or
Disable all except digitally signed macros:  This is a more complex route - you'll need to sign all docs with macros in them.  This isn't such a big deal really though - most organizations with macros have either static code, or a small number of macros maintained by a small number of people.  In addition, most of us have private CA servers now for our wireless infrastructure.  
So to go forward with signed macros, what's required in advance is some training for your 2 or 3 macro authors on how to sign their code (or do it for them if changes are very seldom).

Office 2016 has these settings, as well as "Block Macros from running in Office files from the Internet".  This one is essentially the "easy button" that will shut down lots of the ransomware infections we're seeing these days.

I'm waiting with anticipation for this same "easy button" in GPO for Office 2013 to match this update (and Office 2016)!  If it doesn't come, I might write one and post it here  (I really hope it doesn't come to that though).

===============
Rob VandenBrink
Compugen

Keywords:
9 comment(s)
Diary Archives