Security News Microsoft Adds Support for JavaScript in Excel—What Could Possibly Go Wrong?

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Shortly after Microsoft announced support for custom JavaScript functions in Excel, someone demonstrated what could possibly go wrong if this feature is abused for malicious purposes.

As promised last year at Microsoft's Ignite 2017 conference, the company has now brought custom JavaScript functions to Excel to extend its capabilities for better work with data.
Functions are written in JavaScript for Excel spreadsheets currently runs on various platforms, including Windows, macOS, and Excel Online, allowing developers to create their own powerful formulae.

But we saw it coming:

Security researcher Charles Dardaman leveraged this feature to show how easy it is to embed the infamous in-browser cryptocurrency mining script from CoinHive inside an MS Excel spreadsheet and run it in the background when opened.

"In order to run Coinhive in Excel, I followed Microsoft’s official documentation and just added my own function," Dardaman said.​

Here is an official documentation from Microsoft to learn how to run custom JavaScript functions in Excel.
 
D

Deleted member 65228

I am not a fan of the idea but unless you are forced into using Microsoft Office then it isn't a real concern for you. I've seen complaints and mocks about this on Twitter for the past few days...

Hopefully however, Microsoft will implement some Attack Surface Reduction (ASR) rules which can cover JavaScript restrictions in Microsoft Excel.

I also think that Microsoft should allow ASR to function without Windows Defender enabled, because a lot of third-party AVs will not provide the same functionality that it does.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top