Excel 4.0 (XLM) macros are now disabled by default, Microsoft has confirmed. In a Tech Community blog post, the company revealed that the change has been made to better protect users against “related security threats” coming through spreadsheets.
Back in July 2021, the company released a new Excel Trust Center setting option, allowing administrators to restrict the usage of Excel 4.0 (XLM) macros. It has now made this option default for everyone.
Administrators can use existing Microsoft 365 applications policy control to configure this setting, the announcement reads. The Group Policy setting “Macro Notification Settings” for Excel can be found in the following path and registry key:
Group Policy Path: User configuration > Administrative templates > Microsoft Excel 2016 > Excel Options > Security > Trust Center.
Furthermore, administrators can manage this policy setting with both cloud policies, and ADMX policies. They can also completely block all XLM macro usage, including in new user-created files, by enabling the Group Policy, “Prevent Excel from running XLM macros”, Microsoft added.
Excel 4.0 (XLM) macros were the default format until 1993, and even though they’ve since been discontinued, they can still be run by the latest versions of the Office program. That makes them ideal for threat actors, who’ve been abusing them to push malware such as TrickBot, Zloader, Qbot, Dridex, ransomware, and many other malicious programs, BleepingComputer reminds.
The publication also reminds that in October 2019, Microsoft added a new Group Policy, allowing administrators to block Excel users from opening untrusted Microsoft query files with IQY, OQY, DQY and RQY extensions. It claims that these files have been weaponized in “numerous malicious attacks”, to deliver remote access Trojans and malware, for years.
XLM is disabled by default in version 16.0.14527.20000+, current Channel builds 2110 or greater, monthly Enterprise Channel builds 2110 or greater, semi-annual Enterprise Channel (Preview) builds 2201 or greater, and semi-annual Enterprise Channel builds 2201 or greater (coming this July).
Facebook is finally making 2-Factor Authentication (2FA) the rule for some of its most-at-risk accounts.
It’s a smart move, protecting venerable Facebook users, especially those who are looked to for responsible and accurate information – think journalists, politicians, celebrities, and you'll get the idea. Someone gaining access to any one of these accounts and masquerading as it could have wide-reaching, damaging effects. The company made the announcement on Thursday, pre-briefing some reporters and then directing them to a full story on Wired.
Why I wonder has this taken so long?
Stories of people, in all stations of life, who’ve had critical accounts hacked are all too commonplace. I usually find out when someone sends me a separate email or text exclaiming, “Help! I’ve been hacked!” Worse yet is when they don’t know and I spot the bizarre activity on their Facebook account and send a private note through other channels: “Hey, I think your Facebook’s been hacked.’
2-Factor Authentication is a simple idea that few people adopt because they see it as annoying or overly complicated. Put simply, whenever you log into a system, you have to prove it’s really you through a secondary device or system, one that can give you a code to apply to that first system.
Some 2FA systems use SMS texts to your phone (or a voice call), others use proprietary hardware that spits out unique, time-sensitive codes that also get entered into the original system.
For most people, the primary device handling 2FA is their smartphone. Most security system managers figure that if you have your phone with your SIM and unique phone number on it, that’s about as good as it needs to get for verification. Looked at another way, how likely is it that someone trying to use your email and maybe a password they found on the Dark Web to log into your Facebook will also have your phone in their hands?
Inside Facebook Protect: What's new?
The system in question, known as Facebook Protect, was designed originally as an opt-in for political figures. In addition to 2FA, there’s a Page publishing authentication system to ensure that nobody publishes offensive material on a candidate’s pages, and the requirement that Page managers use real names.
The new plan takes Facebook Protect further, with Facebook proactively identifying at-risk users or groups of users and targeting them to enroll in Facebook Protect. Personally, I’d like to see Facebook follow Google’s plan and require 2FA for all users.
It’s not a perfect system, and there are reports of phone scammers convincing unsuspecting service users (banks, cryptocurrency wallets, Venmo, PayPal, and other accounts that also use 2FA) to share the 2FA SMS codes. Still, it’s better than a single, poorly crafted password, or one that’s being passed around on the Dark Web like so much gossip.
Facebook’s plan, which sounds small and almost tentative, might still be a rude awakening for at-risk users who missed the memo and, after ignoring multiple prompts to enable 2FA, may find themselves locked out of their own accounts.
Facebook's Head of Security Policy Nathaniel Gleicher, however, told me via Twitter that the “Number of warnings will vary by country/context — we're adjusting to make sure people have the time they need. So far, we've seen the overwhelming majority (90%+) enroll on time w/out trouble!”
Getting locked out of Facebook would not be a great situation. But it's definitely better than a hacker or prankster taking over and posting things in your account that no one wants to see.
Norton 360 for Gamers is a version of the Norton 360 security suite which is specifically aimed at you guessed it – gamers!
But if all you're doing is playing games in the comfort of your own home, why should you need an antivirus tool? In this article, we break down in detail exactly how Norton 360 for Gamers helps to protect your PC, and what additional defenses are present for gamers in particular.
Norton 360 for Gamers gives you the same core defenses against malware as the vanilla Norton 360 internet security suite. To be precise, you receive everything that subscribers to Norton 360 Deluxe get, plus the gaming extras we’ll come onto in the next section.
That includes real-time protection to keep malware off your PC, on-demand scans, heuristics to detect freshly released threats, and dedicated anti-ransomware tech. As we found in our full Norton antivirus review, these combine to provide a very solid level of core protection.
Norton puts its antivirus money where its mouth is, with the firm’s ‘virus protection promise’ that gives the customer their money back if a device is hit by malware which Norton’s experts can’t remove.
Further protection is provided by some high-quality URL filtering to keep your web browsing safer, and Norton also implements an intelligent firewall. The latter is a very informative firewall that can help you make decisions on untrusted programs which are trying to use your internet connection – this is a pleasingly fresh and useful approach to firewall execution.
Those are the main defenses, then, but Norton 360 for Gamers also delivers the security suite extras found in Norton 360 Deluxe. That includes a backup facility with 50GB of cloud storage space, which could come in very handy if things go awry (always back up your important files, no matter how confident you are in the security of your PC). There’s also a password manager and webcam protection.
Another nifty feature is a built-in VPN, which is far from standard with security suites. To be precise, this is Norton Secure VPN and while it might be a relatively basic VPN service, it’s solid enough and a great bundled inclusion adding to the value proposition here.
Using a VPN for gaming helps to protect your privacy and anonymity online, with other benefits such as geo-blocking. That enables you to, say, stream content you wouldn’t otherwise be able to access. A VPN can also help you avoid the likes of DDoS attacks, which can be aimed at you to bog down your internet connection and ruin an online gaming session.
Dark Web Monitoring keeps an eye out for any of your personal details or data being involved in a data breach, because the knowledge that something has been spilled online can enable you to react quickly and keep your accounts secure.
Finally, those with children will appreciate the parental control system. This is a seriously good package to protect kids when they’re online, with all manner of content filtering and the ability to set time limits on device usage, as well as thorough location tracking facilities to keep tabs on your offspring not just online, but in the real world via GPS too.
On top of all the above, Norton 360 for Gamers offers a number of extras targeted specifically at those who enjoy PC gaming. We’ve already touched on the Dark Web Monitoring feature, which with the gaming suite is extended to also cover gamer tags and accounts, helping to keep these safe from exploits by nefarious types who may come across your leaked details.
Gamers running Windows also get the benefit of fewer notifications from Norton, with the suite able to detect when you’re running full-screen apps like games, only interrupting you if something critical happens like your PC being actively under attack.
The biggest gaming-related feature though, is the Game Optimizer. This allows Norton 360 for Gamers to intelligently allocate CPU resources to the game you’re playing in Windows to get better performance.
The caveat is that it doesn’t work with every game, but supports titles run via the Epic Games Store and Steam, plus game launchers from Bethesda, Blizzard, EA (Origin), Rockstar, and Ubisoft (Uplay). And bear in mind that you’ll need a quad-core CPU to use this feature, but most gamers these days will have one of those in their gaming PC.
How does Norton 360 for Gamers protect your device?
As we’ve seen, Norton 360 for Gamers delivers a whole raft of protection. From its core anti-malware measures (and specialized ransomware and web protection), through to security features like an intelligent firewall and integrated VPN.
That VPN can help defend against the likes of DDoS attacks aimed at gamers (or even the terrible practice of ‘swatting’, which is trying to call in a SWAT team or similar tactical response unit on false pretences), and the Dark Web Monitoring is a great extra to keep all your gaming accounts more secure.
Overall, Norton 360 for Gamers provides a commendable level of all-round protection and some nifty gaming-related extras for Windows users, particularly as Norton claims that its optimization feature can help some games run faster.
It’s well worth considering as a security package for those keen on gaming, with the main compromise compared to Norton 360 Deluxe being that Norton 360 for Gamers only supports three devices, rather than five. Both offerings are pitched at around the same price typically, and at the time of writing, Norton 360 for Gamers is a touch cheaper.
APIs are immensely more complex to secure. Shadow APIs—those unknown or forgotten API endpoints that escape the attention and protection of IT¬—present a real risk to your business. Learn how to identify shadow APIs and take control of them before attackers do. Threatpost