Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Microsoft Security Software Government Network Networking Operating Systems Privacy The Internet United States Windows News Technology

How a Bad UI Decision From Microsoft Helped Macro Malware Make a Comeback (softpedia.com) 129

An anonymous reader writes: Macro malware is a term to describe malware that relies on automatically executed macro scripts inside Office documents. This type of malware was very popular in the '90s, but when Microsoft launched Office 97, it added a popup before opening Office files that warned users about the dangers of enabling macros. Microsoft's decision had a huge impact on macro malware, and by the 2000s, this type of malware went almost extinct. Lo and behold, some smart Microsoft UI designers start thinking that users might get popup fatigue, so in Office 2007, Microsoft makes the monumental mistake of removing the very informative popup, and transforming the warning into a notification bar at the top of the document with only six words warning users about macros. Things get worse in Office 2010, when Microsoft even adds a shiny button that reads "Enable Content," ruining everything it had done in the past 10-15 years, and allowing macro malware to become the dangerous threat it is today. The U.S.-CERT team issued an official threat yesterday warning organizations about the resurging threat of malware that uses macro scripts in Office documents.
This discussion has been archived. No new comments can be posted.

How a Bad UI Decision From Microsoft Helped Macro Malware Make a Comeback

Comments Filter:
  • Car Anology (Score:5, Insightful)

    by Required Snark ( 1702878 ) on Friday June 10, 2016 @10:10PM (#52293325)
    If Windows was a car and Microsoft was the driver, it would be like someone who is senile and keeps running into the same tree over and over and over again. In both the real world and the analogy they always loose their memory of past failures, and the result is inevitable.

    This is rooted in Microsoft culture. Security is never a primary concern. Imagine someone with a whiny voice saying "It's too hard, I don't wanna do it, it makes things no fun" etc, etc. From the outside that seems like how they behave.

    And there is the little matter of loss of institutional memory, which is the senility part. That is because they consciously exclude people of long experience. They don't hire them, and if anyone is too long on the job they get flushed out. It's cheaper and keeps the workforce docile. But the long term result is making the same mistake over and over again. Not that Microsoft is a whole lot worse then any other big software organization, but they appear to do it even more then other big outfits.

    Expect them to resurrect the BSOD any day now...

    • Re:Car Anology (Score:5, Informative)

      by Ol Olsoc ( 1175323 ) on Friday June 10, 2016 @10:51PM (#52293443)

      Expect them to resurrect the BSOD any day now...

      It never went away - still an integral part of the Windows experience. http://answers.microsoft.com/e... [microsoft.com]

      http://answers.microsoft.com/e... [microsoft.com]

      http://www.computerworld.com/a... [computerworld.com]

      W10, 8.1, and 7. BSOD - suposedly long gone.

      I've had zealots declare me a liar while cleaning "There is no BSOD any more!" with great conviction. It stil happens, even as documented on Microsoft pages.

      Watch me get marked as a troll for pointing out the truth.

      • Of course it's still there. I am guessing OP was referring to the frequency of BSOD which has decreased as the code base gets more mature.
        • Of course it's still there.

          I have had many people telling me that I was lying, that the BSOD did not happen any more - from Vista on. Even in here, IIRC

      • I've had zealots declare me a liar while cleaning "There is no BSOD any more!" with great conviction.

        This is a good thing. I would really like it if we lived in a world where total system crashes were so rare that people actually believe that the BSOD doesn't exist anymore. We're getting there. BSOD is now very rare compared to the past. I haven't seen one in Windows 8, 8.1 or 10, don't even know what it looks like. I used to see them in Windows 7 but then I was running on flaky hardware for a while.

        It's certainly not like Windows 95, 98, Mistake Edition, or 2000 where they were an integral part of the exp

        • When Windows 10 first was released to the public (via the automatic updates fiasco) I put it on an older laptop to see how it handled older hardware. The laptop had a synaptic-powered touchpad. It would BSoD on a regular basis if I used the touchpad. Yes, it was a bad driver from Synaptic and MS did update the driver, but the point still stands. https://answers.microsoft.com/... [microsoft.com]
        • It's certainly not like Windows 95, 98, Mistake Edition, or 2000 where they were an integral part of the experience.

          Win2k does not belong in that list.

          • Yes it does, as does NT4 and XP. While they were a large step up from 95/98 they are still a long way from the stability that is offered by Windows 7 and 2008 Server. A lot of this has to do with the change of the driver model over the years. It's not significantly harder for a misbehaving driver or a hardware fault to bring down the entire system (remember BSOD and Kernel Panics are self protection mechanisms).

        • Watch me get marked as a troll for pointing out the truth.

          If you do get marked as a troll it will be for this obvious trollish and idiotic end to your post.

          DIdn't get marked as troll, but someone that calls me an idiot when calling me a troll, is.....well Bless you, thegarbz, have a fine weekend.

          My point is that you should see my moderation email. I can send cited and well documented arguments to validate my assertions, and if they are not positive about Windows, I'm descended upon like a wildebeest by crocodiles with troll mods.

      • I've had zealots declare me a liar while cleaning "There is no BSOD any more!" with great conviction. It stil happens, even as documented on Microsoft pages.

        Oh, but the BSoD went away with Windows XP.

        The default behaviour in the case of a BSoD for XP was to automatically reboot the computer, you see. People no longer saw any BSoDs, so Microsoft obviously must've fixed them.

    • Well, that's one way of looking at it. The other is that Microsoft had to cater to the lowest common denominator with big scary warning dialogs when you did something potentially stupid. And that they did that because it was new and people were ignorant, but that as a computer literate generation grew up they thought they could start taking off the training wheels. I mean, it's not like Linux gives you much warning when you break shit, yeah you might have to invoke sudo but that is the universal "trust me,

    • Too bad your analogies suck and you don't know anything about what you're talking about. Not an MS fan here, but I at least know wtf I'm talking about when it comes to diagnostics of Windows systems, and the BSOD is still part of that system. Now give MS credit for BSOD's being so rare now that stupid people that repeat lies and never admit their own fuckups, like yourself, thought they no longer exist !
  • by Anonymous Coward

    MS makes UI decisions? I thought they just delegated UI coding to the new hires, saying "Here's a project for you to learn coding on."

  • You can only warn but you can't prevent stupid. It's not like the code gets executed right away. You have to PURPOSELY enable it. This is no different when people install whatever off the internet because they don't know better, while running an expired virus scanner that came with their computer when they bought it back in 2011. While I understand that Microsoft is a very user friendly OS compared to something like Linux, you can really only do so much without making it TOO user friendly where you can'
    • by tgv ( 254536 )

      > You can only warn but you can't prevent stupid. It's not like the code gets executed right away. You have to PURPOSELY enable it.

      Read it again. If you don't get it, here's the gist: a shiny "Enable Content" button does not make people think "Gotta be careful, this might be a virus". Instead, it makes people, who are indeed not very knowledgeable in such matters, think: Doesn't look harmful. I want the content enabled, right? I'll click it to make it go away. That is driven by automatism and sometimes m

      • I am not arguing that it's easy to enable but it still warns you regardless if it is a "shiny button" to enable, but you'd think because it's a bad file you download from the net or a questionable email they would be smarter than to enable it. If you decide to enable it that's your fault. It's like going to some random questionable website "Oh I need a new codec to stream this video? sure i'll install it!"

        Does this mean you can blame the creator of javascript for creating pop-ups that allow you to inst
        • by tgv ( 254536 )

          The problem is that they were, and still can be, embedded in documents in reputable sources. Consider it a form of social engineering. If you manage to infect one person's Excel document in an organization, chances are that it'll spread quickly throughout the organization, because you've got no reason to distrust the source. And UI has great influence on how people treat warnings.

        • I am not arguing that it's easy to enable but it still warns you regardless if it is a "shiny button" to enable, but you'd think because it's a bad file you download from the net or a questionable email they would be smarter than to enable it. If you decide to enable it that's your fault. It's like going to some random questionable website "Oh I need a new codec to stream this video? sure i'll install it!"

          The problem is the warning is "Macros have been disabled" next to a button labeled "Enable Content" A reasonable interpretation is that if I click on Enable Content the macros will be disabled and I get to see the file's contents; not that it will enable macros to run. That button would say Enable Macros.

          Not every file with a malicious macro needs to come from a shady source directly; when I was doing some publishing we'd get files from writers that had been infected even though they were from a trusted so

      • Read it again. The two first words in the notification, in all CAPS, are "SECURITY WARNING". If that doesn't make you think that, "Gee, maybe I should be careful," you really have no one to blame but yourself.
    • Re:Really? (Score:5, Insightful)

      by jaseuk ( 217780 ) on Saturday June 11, 2016 @03:32AM (#52293973) Homepage

      Yes - but this appears even on files without any Macro content - just because the file came by e-mail. So files from internal recipients in a DOMAIN without Macros's have the SAME warning as an internet file with a Macro virus.

      This is the stupidity.

      Jason.

      • Right, that's what I was going to bring up. Microsoft changed the popup to a banner, but I don't think that's really the problem. The problem is that they also have a nearly identical banner that pops up unnecessarily under different circumstances. So they spend a few years training people to just hit "Enable" whenever the banner pops up, meanwhile making that "Enable" button the only security against malicious macros.

        It's a perfect example of "what not to do". You'd think Microsoft would have learned

    • You can only warn but you can't prevent stupid. It's not like the code gets executed right away. You have to PURPOSELY enable it. This is no different when people install whatever off the internet because they don't know better, while running an expired virus scanner that came with their computer when they bought it back in 2011. While I understand that Microsoft is a very user friendly OS compared to something like Linux, you can really only do so much without making it TOO user friendly where you can't do anything.

      Very true, you can't fix stupid; to steal a line from Ron White. However, constantly canning how you present information in a UI is problematic and thus not a good idea. Users get used to seeing certain warnings and when they go away they assume whatever causes the warning is no longer occurring. Changing the wording of the warning can produce the same effect. Enable Content could be reasonably assumed to allow opening the file and seeing the content, not allowing it to Run Macros.

      As for your internet and v

  • I'm too lazy for MS's shenanigans. I just enable macros by default in outlook to run an auto-bcc vba script without being bothered all the time.
  • by Anonymous Coward on Saturday June 11, 2016 @02:24AM (#52293841)

    ...was when they decided that hiding the extension was a great idea and made it default in XP.
    trojan.jpg.zip anyone?

  • How is there news about Office 2010, which was presumably released 6 years ago. Who even uses Office these days, Google docs all the way... or a Markdown editor.
  • The real issue here is that macros and scripts should always run in a very well designed and hardened sandbox. No matter what your script does, it won't be able to do more than screwing up the spreadsheet it came embedded with. It really is insane that a macro could harm your computer, except in Microsoft's world.

    The culprit is simply bad design. Nobody in their right mind would allow arbitrary scripts from unknown sources to be run freely in an environment where they can affect things outside that envir

  • Seriously, what kind of head injuries do the people at Microsoft have?? This is an enormously STUPID decision made by enormously STUPID people.

    Ask technically-savvy people about this and 99.99999% would say, "Don't do this", but the wizards at MS in their infinite wisdom do it anyway?

    WTF, Microsoft?? Do you want your users to be fucked over?

    • Seriously, what kind of head injuries do the people at Microsoft have??

      It's called "product management." It results in diminished quality everywhere it is used, because it relieves the developers from the responsibility of thinking about the quality of what they are building.

      Here's an example of the special Microsoft version of this disease [blogspot.com]:

      So just on my team, these are the people who came to every single planning meeting about this feature:

      1 program manager
      1 developer
      1 developer lead
      2 testers
      1 test lead
      1 UI designer
      1 user experience expert
      --
      8 people total

      These planning meetings happened every week, for the entire year I worked on Windows.

      The advantages of this system are: better top-down control, and you can hire less competent developers (who have not the skillset of thinking about what they are building).

      • So just on my team, these are the people who came to every single planning meeting about this feature:

        Yep. I've worked (as a contractor) at Microsoft, and yes, the meetings are constant, unproductive, and often litle more than dick-waving contests.

        I rarely left a meeting feeling like we'd accomplished anything useful. Most of the decisions made were done in such a way so that no one could/would be blamed for anything that happened as a result of the meeting. Half the people there had no input and no stake in the subject at hand, but they had to come so they could "show the flag" and rack up meeting points.

        T

        • So it got to be this reporting-fuckfest done mainly to plump up the work logs to make it appear we were doing something. And we were doing something: we were filling out shitloads of "what I did" reports, which took away from the time we needed to actually accomplish our goals. Fucking insane.

          Did anyone read them?

          • Did anyone read them?

            Theoretically the higher-higher managers did, but who knows.

            They probably got a stack of these combined reports every week and said, "Not another load of this shit again!" and tossed them in the shredder.

            • It's actually kind of amazing Microsoft held together at all, considering how bad their management style is.
              • It's actually kind of amazing Microsoft held together at all, considering how bad their management style is.

                Yep. I'm surprised the company survived the decade-long "stack ranking" clusterfuck, which was an egregious, self-inflicted wound perpetrated by clueless management retards.

                It just goes to show that inertia in a large company can keep them rolling along, even when the treads are coming off and smoke is pouring from the turret.

  • Often times at work, one co-worker e-mails an Office document to another. The recipient opens the document from their e-mail, clicks the Enable button on that yellow notification bar to switch from read-only mode to editing mode, and then views the document without making any changes. Whenever I see this, I point out to the person that they should not click that button unless they're read what the notification says (click to enable editing), and they should only click it if they need (and know they need)

  • I think the worst decision was putting security functions in dynamically loaded libraries and allowing them to be dynamically hijacked [darkreading.com]

A company is known by the men it keeps.

Working...