Level 33
Shortly after Microsoft announced support for custom JavaScript functions in Excel, someone demonstrated what could possibly go wrong if this feature is abused for malicious purposes.

As promised last year at Microsoft's Ignite 2017 conference, the company has now brought custom JavaScript functions to Excel to extend its capabilities for better work with data.
Functions are written in JavaScript for Excel spreadsheets currently runs on various platforms, including Windows, macOS, and Excel Online, allowing developers to create their own powerful formulae.

But we saw it coming:

Security researcher Charles Dardaman leveraged this feature to show how easy it is to embed the infamous in-browser cryptocurrency mining script from CoinHive inside an MS Excel spreadsheet and run it in the background when opened.

"In order to run Coinhive in Excel, I followed Microsoft’s official documentation and just added my own function," Dardaman said.​

Here is an official documentation from Microsoft to learn how to run custom JavaScript functions in Excel.

Deleted member 65228

I am not a fan of the idea but unless you are forced into using Microsoft Office then it isn't a real concern for you. I've seen complaints and mocks about this on Twitter for the past few days...

Hopefully however, Microsoft will implement some Attack Surface Reduction (ASR) rules which can cover JavaScript restrictions in Microsoft Excel.

I also think that Microsoft should allow ASR to function without Windows Defender enabled, because a lot of third-party AVs will not provide the same functionality that it does.

Latest Threads