Back before everyone had broadband all the time, you had to be pretty selective about what kind of viruses you tried to spread online. One of cybercriminals' favorite avenues of attack in the '90s was through Microsoft Office macros, time-saving shortcuts that were in fact mini-programs and could become malware. Macro attacks ebbed but never really went away, but now they're back in full force, and a recent warning suggests they’re not so easy to avoid.
The United States Computer Emergency Readiness Team (US-CERT) issued a warning yesterday (June 9) about the resurgence of Word macro viruses, which was based on a CERT/CC Blog post the day before from Carnegie Mellon University's Software Engineering Institute. The organization points out that it posted a similar warning back in 1999, while the Melissa macro virus was spreading across the globe, which just goes to show that some cyberattacks never go out of style.
The beautiful thing about Microsoft Office macros, according to CERT, is that they rely on user input to run, rather than relying on flaws in Word, Excel or PowerPoint themselves. To demonstrate how simple it is to fool someone into running a dangerous macro, Carnegie Mellon's Will Dorman examined the macro warnings given by versions of Microsoft Word ranging from Word 97 up to Word 2013.
Dorman found that Microsoft did not always do a great job of explaining what macros are, or why they might be harmful to your computer. Word 97 was, interestingly, one of the most informative, telling users that macros could be harmful and giving them the option to disable them entirely.
As time went on and the memories of macro viruses faded, Microsoft's security warnings weakened. Word 2010 simply popped up a notification that macros had been disabled when the user tried to run one, and gave the user the option to enable macros again right away. Word 2013 and 2016 have continued that practice.
Only by clicking on the "Macros have been disabled" text in Word 2010, 2013 or 2016 — and it's not obvious that you can do so — will you receive any kind of warning about the danger of enabling macros.
In terms of what kind of mayhem macro viruses can subject you to, Dorman did not cite examples, but did say he created his own malicious macro in Word 2013 to open the Calculator app — the standard security-research proof of total control within the user account. (If the account is a limited one that can't install software for all users, the potential damage will be similarly limited.)
Because macro viruses use Microsoft's powerful Visual Basic scripts (usually to automate Office tasks, but sometimes to hijack machines), they could be used to download and install all kinds of nasty software, from online or elsewhere. Antivirus software sometimes won't detect macro viruses, as they can camouflage themselves to look like innocuous code.
"Never use macros” is not a viable solution, since macros can indeed save a lot of work. But at the very least, don't run a macro unless you know exactly what it is, what you need it for, and there's a reliable person or community that can vouch for it. By default, Office allows users to run macros on a document-by-document basis, so that's probably the best option to keep.