Those with long memories may remember that Visual Basic played a key role in two of the first world-spanning virus attacks, Melissa in 1999 and ILoveYou in 2000. Back in 2002, Michael Zboray, who was then chief technology officer for market researcher Gartner Group and is now Gartner’s CISO, said that Visual Basic has the “wrong security posture,” and added, “Visual Basic script and the macros are proving to be a disaster. This is just happening over and over again. We have to get away from this hostile active content that is coming in through Word documents, Excel spreadsheets and the browser.”
And now, 15 years later, they’re still proving to be a disaster. Visual Basic has given way to Visual Basic for Applications, but the holes remain. The security company Sophos warned in a blog in 2015 that these kinds of attacks were making a comeback. This Russian hack shows they’re back with a vengeance.
It’s unlikely Microsoft will abandon Visual Basic for Applications, because too many enterprises rely on it. So enterprises need to get smarter about its use. Sophos recommends that they consider blocking all Office files that are emailed from outside a company, if those files contain macros created with Visual Basic for Applications. Microsoft offers advice of its own in its security post, “New feature in Office 2016 can block macros and help prevent infection,” including instructions on how enterprises can use Group Policy to block macros from running in Word, Excel and PowerPoint documents sent by email or downloaded from the internet.
Companies need to realize that Visual Basic for Applications and its macros are a potent weapon for hackers and malware authors. If it can threaten U.S. elections, it can certainly threaten enterprises’ most important documents and secrets. Given that Microsoft won’t be shutting down Visual Basic for Applications, enterprises need to take control themselves by blocking macros and scripts on incoming documents.
Sign up for Computerworld eNewsletters.