What Could Possibly Go Wrong

Posted by clever ativity on May 16th, 2018


Shortly after Microsoft announced support for custom JavaScript functions in Excel, someone demonstrated what could possibly go wrong if this feature is abused for malicious purposes.

As promised last year at Microsoft’s Ignite 2017 conference, the company has now brought custom JavaScript functions to Excel to extend its capabilities for better work with data.

Functions are written in JavaScript for Excel spreadsheets currently runs on various platforms, including Windows, macOS, and Excel Online, allowing developers to create their own powerful formulae.

Security researcher Charles Dardaman leveraged this feature to show how easy it is to embed the infamous in-browser cryptocurrency mining script from CoinHive inside an MS Excel spreadsheet and run it in the background when opened.

“In order to run Coinhive in Excel, I followed Microsoft’s official documentation and just added my own function,” Dardaman said.

Here is an official documentation from Microsoft to learn how to run custom JavaScript functions in Excel.


But… JavaScript for Excel Poses Less Threat—Here’s Why?

However, it should be noted that Excel add-ins, the APIs which are responsible for running the JavaScript custom functions, don’t execute by default immediately after opening the JS-embedded spreadsheet.

Instead, users need to manually load and run JavaScript functions through the Excel add-ins feature for the first time, and later it will get executed automatically every time the Excel file is opened on the same system.

Moreover, when you explicitly try to run a JavaScript function in Excel sheet that connects to an external server, Microsoft prompts the user to allow or deny the connection, preventing unauthorized code from executing.

Therefore, JavaScript for Excel does not pose much threat today, unless and until someone finds a way around to execute it automatically without requiring any user interaction.

Besides this, Microsoft has also confirmed that Excel add-ins currently rely on a hidden browser process to run asynchronous custom functions, but in the future, it will run JavaScript directly on some platforms to save memory.

For now, JavaScript custom functions for Excel has been made available in Developer Preview edition for Windows, Mac, iPads and Excel Online only to Office 365 subscribers enrolled in the MS Office Insiders program.

Microsoft will soon roll this feature out to a broader audience.

Like it? Share it!

clever ativity

About the Author

clever ativity
Joined: February 16th, 2018
Articles Posted: 48

More by this author