On July 8, Microsoft reversed its February decision to block macros in Excel documents by default. Microsoft has said it will block Excel files containing macros if they are downloaded from the Internet. (Attackers use these decoys as a way to attack networks; in particular, ransomware and other types of malware can be launched from a plain old malicious spreadsheet.)
Microsoft still plans to introduce this lock, but only after “better experience”. In the meantime, there are steps you can take now so you don’t have to worry about changes in the future.
If you work for a firm that develops spreadsheets for their own internal office use, chances are the spreadsheet is not digitally signed. Signing machos is similar to how websites use SSL certificates to verify the legitimacy of a site. The hardest part of the self-signing process is deciding whether you want to purchase a code-signing certificate or use a self-signed certificate process. (I can tell you from personal experience that trying to purchase a code signing certificate is an expensive and cumbersome process. I don’t recommend this option except for large enterprises where the code signing process is routine.)
For everyone else, I recommend signing your Excel macros yourself. The tricky part is getting a program that allows you to do this. You will need to follow this Knowledge base article to locate the selfcert.exe file on your computer. In my case, the file is located in “C:Program FilesMicrosoft OfficerootOffice16” (if you are using a 64-bit version of Office). Run the selfcert.exe program and name the certificate something descriptive, such as MyExcelFiles.
In the search box on your Windows computer, type mmc.exe to launch the management console. Click on the file, then on “add/remove a snap-in”, then on “include certificates” and add it to the management view. You want to add it to “My Account”. Click on certificates > current user and then on personal certificate store. You should now see this “MyExcelFiles” certificate in the certificate store. You can double-click on it to view the certificate. (It should say that the CA root certificate is not trusted; this is normal for a self-signed certificate.)
Now open the Excel file that you want to sign with your self-signed certificate. (You’ll need to add the Developer tab to your Excel spreadsheet if it’s not already showing.) After clicking File > More > Options, select Customize Ribbon on the left. Then select the “Main Tabs” on the right, select the “Developer” checkbox and click the “OK” button.
On the Developer tab, in the Code group, select Visual Basic. In Visual Basic, on the Tools menu, click Digital Signature. When the Digital Signature dialog box appears, select the certificate and click OK. Save Visual Basic and close the Visual Basic interface. Now save the Excel file again.
It is also important to revise macro security settings on your computer. On the Developer tab (again in the Code group), click Macro Security. In the “Macro settings” category, select the desired option. After all the Excel files you use are signed with your self-signed certificate, you can change the settings to “Disable VBA macros except digitally signed macros”.
Now it’s time to look at spreadsheets that include macros. If you’ve downloaded any from the internet and don’t know where they came from, stop. You want to make sure they aren’t malicious by uploading files to www.reverse.it or www.virustotal.com to see what the file contains. Once you’ve identified the Excel files with macros that you want to use (but that you haven’t personally developed), your next step is to make sure that each of those Excel files doesn’t have an “Internet Mark”.
Don’t open the files – just right-click the Excel spreadsheet and select properties. On the general tab, look for the indication that “This file comes from another computer and may be blocked to protect this computer.” You have to click on the box that says “Unlock” and click to apply. Now that the file has been scanned and unlocked, open it, digitally sign it, and save again. This ensures that your Excel files are signed by you; if you open them at any time in the future, you will know if they have been tampered with.
For small businesses that store and share Excel files, I recommend creating a secure location on your network for your trusted Excel spreadsheets. Go to Excel and click on File > Options > Trust Center, then Trust Center Settings; here you can browse the places you think are “trusted”. By default, Excel does not trust network locations. Although Microsoft does not recommend adding a trusted network location, for business purposes I add a specific site or location and then check who has access to that location. Specify who needs access to macros and especially access to this trusted network location. Not everyone in your office needs this level of access. In fact, most of your users – even in small businesses – probably aren’t. Plan accordingly.
Deciding who and what has access to a trusted location can be the difference between being attacked by ransomware or not. Not everyone needs an Excel file with a macro. Not everyone needs trusted locations on your network. But attackers would clearly be happy if we didn’t make these decisions.
Microsoft will eventually block macros in Excel documents downloaded from the Internet. Take the time now to get ahead of these changes; don’t wait for Microsoft to release it again.
Copyright © 2022 IDG Communications, Inc.