How a Bad UI Decision from Microsoft Helped Macro Malware Make a Comeback

Share this…

US-CERT warns about a rise in macro malware. Following numerous reports from various security firms about a large number of malware that uses macro scripts in Office documents to spread, the US-CERT team has issued an official alert to all organizations about this resurging threat.

Macros are not malicious by nature, being added to automate various operations in the Office suite.

Macro malware, as this threat is sometimes called, relies on small scripts attached to Office files that execute when the document is opened, if there’s no security restriction.

Macro malware was very popular 20 years ago

Macro malware was extremely popular in the 90s, when it helped many worms and viruses spread, such as the Melissa virus.

Initially, macros had the ability to execute when you opened a file, a feature which malware coders loved. Microsoft course-corrected with Office 97, showing a very informative popup with all sorts of warnings and options to avoid opening a file with automatically-executing macros.

These popups managed to curb down macro malware popularity, and as the 2000s came, this type of malware distribution technique almost died out.

Macro script popup in Office 97

Macro script popup in Office 97

Unfortunately, Microsoft made a huge design mistake when it decided that starting with Office 2010 it would remove the informative popup that appeared before the file was opened, and transform it into a notification bar, inside the application, after the user opened the file.

Microsoft still blocked automatic macro execution at document startup, but the notification bar was very light on security warnings and the information needed for Office users to understand what macros were exactly and what are their direct consequences.

Macro malware resurgence is because of one bad UI decision

From a warning in Office 97 that included five lines of text, of which a sentence read “Some macros may contain viruses that could harm your computer,” the message was narrowed down to six words saying “SECURITY WARNING Macros have been disabled.”

Microsoft didn’t give any reason why macros were disabled, or what would happen if the user turned them on. In Office 2013, right next to this warning there is even a huge button that reads “Enable Content” that, you guessed it, enables macros.

Crooks didn’t notice this change at first, but they eventually caught on, and here we are today, in the second age of macro malware, two decades after it was almost eradicated.

UI & UX design has a role in everything, and it sure had an impact on the malware scene. With no visible and informative message, users returned to their old habit of enabling macro scripts in order to view the file’s content, a common explanation used by malware coders.

If you still think macro malware is not a potent threat, just search our website for the term, and you’ll see almost weekly reports on a new malware family employing this technique to distribute, or some cyber-espionage group targeting its victims with malicious Office docs.

US-CERT Australia has a collection of recommendations regarding macro malware security.

Macro script notification in Office 2010

Macro script notification in Office 2010