Javascript in Excel: Two Steps Forward, One Step Back?

July 25, 2018

“Progress,” in the computer world, means being able to do more, with fewer resources, more easily. That’s the reason Microsoft announced that it would begin integrating JavaScript capabilities in Excel, upgrading the capabilities of spreadsheet authors to do scripting, which until now required utilizing VBA. According to Microsoft, the upgrade “provides a powerful set of capabilities to the Excel platform, offering developers, data scientists, and power users more opportunities to better work with data.” With new scripting capabilities “developers will be able to build new kinds of data visualizations in Excel — giving users a much more diverse charting experience, right in Excel.”

Currently, the new capabilities are open only to Office Insider users, which is an opt-in feature of Office, allowing users to get the latest updates and features from the Office dev team. But if it proves popular, Microsoft could allow even greater access to the new feature.

Now, spreadsheet authors who want to call remote functions into Excel – executing code that imports documents, links, etc. – won’t have to resort to VBA to do that; Excel itself will enable that functionality. But like with so many other forms of “progress,” this one too, has unforeseen consequences that empower bad actors, as well. If it’s easier for spreadsheet authors to implement remote actions with integrated Javascript instead of with the VBA they have been required to use until now, it’s easier for hackers to utilize those capabilities to insert rogue code into spreadsheets, instead of using VBA as they have been until now!

We’ve mentioned before how remote code (like Flash) can be used to attack systems. CVE-2018-5002, for example, involves embedding (using ActiveX) a Flash file in an Excel document, which downloads yet another Flash file when it is activated. When downloaded, the initial Flash file decrypts the second one, where the malware is located – and which, once executed, downloads a malicious shell and executes it, using instructions from the command and control server.

Integrated Javascript attacks could work the same way; an add-in script built by a hacker could find its way into a spreadsheet, giving them the ability to do who-knows-what. And in fact, we already have a proof-of-concept for this: A white hat hacker successfully imported CoinHive functions into Excel, allowing for crypto-mining when the document was opened.

Admittedly, the possibilities for this kind of attack are currently limited. Several safety features have been built into the system. In order to run JavaScript functions through the Excel add-ins feature, users have to manually approve its use for the first time. In addition, any connection to an external server must be specifically approved as well.

But if the program is moved to a wider audience, there may be greater demand for a smoother experience. According to researchers, “Microsoft has also confirmed that Excel add-ins currently rely on a hidden browser process to run asynchronous custom functions, but in the future, it will run JavaScript directly on some platforms to save memory.” If that happens, watch out; as the white-hat hacker who demonstrated the possibilities of an attack vector using this feature wrote, “Microsoft has, for some reason, decided that the business world needs yet another scripting language running within office. Currently, it takes some effort to get JS running within Excel, but I suspect that the difficulty will drop drastically as we near JS moving into the full Office build. Once that has been completed, I plan to take another look at this new attack vector.”

Just another reason, in our opinion, why you need Votiro. Integrated Javascript functions are essential to the execution of a file – hence, anti-malware systems don’t check them. Neither will sandboxes or other security systems. Only Votiro goes to the heart of an Excel file, checking out its innards – including its embedded Javascript routines. The Excel file is deconstructed, the offending code sanitized, and the file reconstructed. Microsoft’s new idea may indeed be a great example of progress in action – but with Votiro’s solution, companies can ensure that that progress works for them only, and not for hackers.