Threat Level: green Handler on Duty: Russ McRee

SANS ISC: MS Office 2013 - New Macro Controls - Sorta ... - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS Office 2013 - New Macro Controls - Sorta ...

I was trolling through the readme's for the latest batch of patches from Microsoft, and found this tidbit in the doc for MS16-099 (https://support.microsoft.com/en-us/kb/3177451):

Administrator can use the Group Policy to block running any macro in the files that are download from the Internet in Office 2013 applications. This feature is same as in Office 2016 applications. See the following articles for more information:

 
A quick check immediately followed, I don't see any new registry keys that allow this control.  HKCU\Software\Microsoft\Office\15.0\Word\Security  Shows only the previous "Trusted Documents" and "Trusted Locations" branches.  No problem though, it's very common for registry keys to not be present until you add them. (a missing key is a default value).

Also, and more importantly, there are no corresponding updates to the Office 2013 ADMX files, so you won't be seeing any new settings in your group policy screen for Office 2013.

You can (and should) put these macro limit controls in for Office 2016, but as far as I can see, that's an entirely different branch in both Group Policy and in the Registry.  Office 2013 apps won't read Office 2016 settings, and vice versa.  So the Office 2013 settings you had 30 days ago are still the only ones that are easy to get to.

It's great to see where Microsoft is going with this, but I think we'll all need to wait for the other half of this update before we can use it effectively.

So I think the best advice still remains to use one of these two settings for Office 2013:

Disable all without notification:  If you don't use macro's in your organization, disable them and DON'T give your users the ability to bypass this setting.
or
Disable all except digitally signed macros:  This is a more complex route - you'll need to sign all docs with macros in them.  This isn't such a big deal really though - most organizations with macros have either static code, or a small number of macros maintained by a small number of people.  In addition, most of us have private CA servers now for our wireless infrastructure.  
So to go forward with signed macros, what's required in advance is some training for your 2 or 3 macro authors on how to sign their code (or do it for them if changes are very seldom).

Office 2016 has these settings, as well as "Block Macros from running in Office files from the Internet".  This one is essentially the "easy button" that will shut down lots of the ransomware infections we're seeing these days.

I'm waiting with anticipation for this same "easy button" in GPO for Office 2013 to match this update (and Office 2016)!  If it doesn't come, I might write one and post it here  (I really hope it doesn't come to that though).

===============
Rob VandenBrink
Compugen

Rob VandenBrink

515 Posts
ISC Handler
Is there an option for Office 2010 and earlier versions?
Rahul

1 Posts
Security controls become less and less flexible as you go back in versions, with Office 2007 having almost no controls at all in this area.
If you can updated you'll be a lot further ahead - I think in 2010 the end user always has the ability to "OK" any error message and bypass it.
I'd consider Office 2013 to be a decent starting point, 2016 if you can swing it. Anything older than that and you start to look like the "straggler in the herd" to the attacking community.
Rob VandenBrink

515 Posts
ISC Handler
And on the flip-side, you end up married to that "Ribbon" garbage, which should be considered malware in-and-of itself.

I sincerely doubt there's any [other] malware that has caused more expense to business than that.
Lynn

2 Posts
> Is there an option for Office 2010 and earlier versions?

Mainstream support for Office 2007 ended on 2012-Oct-09.
https://support.microsoft.com/en-ca/lifecycle?p1=11346
Extended support for Office 2007 will end on 2017-10-10.

Office 2007 (Version 12) is no longer part of mainstream support and hasn't been tested on Windows 10. However, Office 2007 will install and run on Windows 10.
Versions of Office prior to Office 2007 are no longer supported and may not work on Windows 10.
https://support.office.com/en-us/article/Which-versions-of-Office-work-with-Windows-10-0fc85c97-da69-466e-b2b4-54f7d7275705

So, your best option is to plan for an upgrade to your Office suite.
Anonymous
very anxious to see an update to this post when we have some ADMX files :) :) :).

I wont be on 2016 for another 6-10 months ..
TuggDougins

37 Posts
There is already ADMX for this feature on Office 2013

https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/
TuggDougins
3 Posts
I mean this one :

https://blogs.technet.microsoft.com/mmpc/2016/10/26/office-2013-can-now-block-macros-to-help-prevent-infection/
TuggDougins
3 Posts
ADMX is here :

https://blogs.technet.microsoft.com/mmpc/2016/10/26/office-2013-can-now-block-macros-to-help-prevent-infection/
TuggDougins
3 Posts
Quoting Anonymous:Versions of Office prior to Office 2007 are no longer supported and may not work on Windows 10.
... meaning, MS will find a way to make it not work on Windows 10, so you have to buy an upgrade...
Visi

41 Posts

Sign Up for Free or Log In to start participating in the conversation!