"Visual Basic for Applications (VBA) is one of the easiest methods to deliver malware nasties: simply by dropping malicious code into an Office doc as a macro and attaching to an email. The victim would be lured by a plausible pretext into opening an Office file attachment delivered to them by email."
Nice theory but based on old Office technology. Microsoft was late to the party, sure, but they have been working on securing their macro environment. First the differentiation between documents with macro's and those without (.doc vs .docx and .docm (document using macros) extension).
But most of all: Secure locations.
When I open an e-mail attachment which contains a weird macro then so what? Because Office will open the document with macro execution disabled, because it got opened from an insecure location.
By default only the standard location for Office documents is trusted, and those are not the places where downloaded documents or e-mail attachments will end up in.
The only way where this will go wrong is if the user is still tempted to click the button next to the big warning: "Macro execution has been disabled, click here if you want to enable it.". And even then it won't execute fully.
This has been the case since Office 2010 (which is no longer supported even), and I think it may even have been part of 2008 as well.
“Office macro exploits are just about the only cool thing that Visual Basic gets used for any more,” he added.
Then this guy is completely ignorant of what you can actually do with VB or Office macro's.
My whole company administration is automated through VBA. All handwritten but the best part is that I could easily "tie" the components together. Example: I store a lot of customer data in Outlook, its for keeping appointments, e-mails, etc. So; if I have an appointment I can quickly check the address if needed.
So what happens when I need to send 'm a bill or letter? Simple! My Word macro opens the Outlook contact database, checks for the customer name and then retrieves the right data and adds it to my template. Last time I manually typed a customer address in Word is 3 - 4 years ago.
Document references.. You don't think I'm making those up myself do you? That's what my "Private Function RefGen(naam As String) As String" function is for.
Note that I'm not saying that there is no risk at all, but I do think it's hardly as extreme as this guy wants us to believe. For starters he's ignoring the issue that the end user once again needs to click on a button which has a big bold warning next to it.
The solution is a group policy to only allow certain people to run macro's? Uh huh. I'd personally opt to disable the "run macro anyway" override option which is also doable. Through a policy or, for example, by using a VBA macro which gets automatically started when Office starts.