Microsoft is trying to close the door to a few cybercriminals who are used to attacking users and networks.
The corporate IT giant’s policy of blocking Visual Basic for Applications (VBA) macros in downloaded Office documents by default has been reactivated after a brief hiatus to respond to feedback from users who were having difficulty with the defense of security.
Also this week, Microsoft enabled a default in Windows 11 designed to block or slow obvious RDP (Remote Desktop Protocol) brute force attacks.
Both policies should shut down the avenues that criminals have used for years to sneak into systems, steal data and spread malicious code.
The issue of macros has become particularly thorny for the software giant.
“For years, Microsoft Office has provided powerful automation capabilities called active content, the most common type being macros,” Kellie Eickmeyer, senior product manager at Microsoft, wrote in a blog post in February when the computer titan has announced its intention to block by default. Macros run in Office files downloaded or from the Internet.
“Although we provide a notification bar to notify users of these macros, users could still decide to enable macros with the click of a button. Bad actors send macros in Office files to end users who enable them without knowledge, malicious payloads are delivered and the impact can be severe, including malware, compromised identity, data loss and remote access.”
Eickmeyer added that “for the protection of our customers, we need to make it harder to enable macros in files obtained from the Internet.”
The policy was to block these particular macros by default in Access, Excel, PowerPoint, Visio and Word, although after a few months of – sometimes negative – feedback from users, Microsoft temporarily discontinued the initiative. Complaints ranged from criticism of how the block was implemented to the negative impact it had on some users’ systems.
In an update this week to the original announcement, Eickmeyer wrote that Microsoft is “resuming the rollout of this change to the Current Channel. Based on our review of customer feedback, we’ve made updates to the both to the end user and to our IT administration documentation to clarify the options you have for different scenarios.”
End users can click here for more information, while IT administrators can go here.
Holding back the years
Macros have been a security issue for years, Microsoft released a tool in 2016 that allowed administrators to set policy regarding when and where these scripts were allowed to run. Additionally, users were asked if they really wanted to run macros before allowing them to run.
The challenges continue even now. HP’s Wolf Security threat intelligence group wrote this month about OpenDocument files being used to distribute Windows malware. These documents were emailed to brands, and if opened, the user would be prompted to update fields containing references to other files and if they clicked “yes”, a file Excel opens and another prompt asks if macros should be enabled. If the user enables macros, their systems are infected with the open source AsyncRAT backdoor.
As for RDP brute force attacks, Windows 11 builds now include a default account lockout policy which should at least slow down potential intruders.
In brute-force attacks, cybercriminals use automated tools to guess someone’s account password: the tools go through a huge list of passwords until one works and fails. log in to the victim’s account. According to a Tweeter According to Dave Weston, vice president of enterprise security and operating systems at Microsoft, these tools are used to distribute ransomware and commit other crimes.
The default policy for Windows 11 builds – specifically, Insider Preview 22528.1000 and later – automatically locks accounts for 10 minutes after 10 failed login attempts. Users can change this, changing the number of failed login attempts that trigger a lockout and the length of time the account will be locked out.
In his tweet, Weston wrote that “This control will make brute force a lot harder which is awesome.”
In a paper published last year, researchers at Malwarebytes Labs detailed RDP brute force attacks, saying they “pose a serious and ongoing danger to Internet-connected Windows computers.”
“While there are many ways to break into an Internet-connected computer, one of the most popular targets is Remote Desktop Protocol (RDP), a feature of Microsoft Windows that allows someone to ‘use remotely,’ they wrote. “It’s a gateway to your computer that can be opened from the Internet by anyone with the right password.”
Malwarebytes Labs egg bosses have outlined a number of ways to protect against RDP brute force attacks, from permanently disabling RDP to using strong passwords, multi-factor authentication, and a VPN, as well as limiting the number of guesses before an account is locked. . ®
#Microsoft #closes #avenues #attack #software