Javascript in Excel sparks security worries

By on
Javascript in Excel sparks security worries

Fears custom functions will be abused by attackers.

Microsoft has added the ability for users to create custom Javascript functions in Excel spreadsheets, creating concern among security experts.

According to Excel program managers Michael Saunders and Johnnie Thomas, who introduced the new feature at this week's Microsoft Build developer conference, the custom Javascript functions extend the spreadsheet's own formula functions.

User-defined Javascript functions allow Microsoft Office developers to code up maths operations, import information from websites such as bank account balances, and to stream live data, Saunders and Thomas said.

However, security experts have raised concerns around Javascript's potential to be abused by malicious actors to run arbitrary code on users' computers.

"I can think of a few more examples that maliciously-minded developers might be keen to try out," anti-virus industry veteran Graham Cluley commented.

In February this year, a compromised version of the Browesealoud Javascript accessibility library was found on thousands of Australian government websites.

It attempted to utilise visitors' computers to illicitly mine for crypto currency.

Security researcher Charles Dardaman posted on Twitter that he had already managed to get Coinhive cryptocurrency mining running via an Excel Javascript custom function.

The Javascript custom functions are available in preview only at this stage, to users who have agreed to take part in Microsoft's early adopter Insider program.

Microsoft has long been keen on adding Javascript support for Office developers.

It introduced Excel Javascript application programming interfaces in September last year, and said the functionality would continue to be expanded to enable developers to build powerful solutions within the spreadsheet.

Copyright © iTnews.com.au . All rights reserved.
Tags:
In Partnership With

Most Read Articles

Log In

Username / Email:
Password:
  |  Forgot your password?