Microsoft Implementing JavaScript In Excel: What Are The Potential Threats?

Finjan TeamBlog, Cybersecurity

Finjan Microsoft Implementing JavaScript In Excel: What Are The Potential Threats?

Since its arrival on the computing scene in 1995, JavaScript has emerged as a “consumer level” programming language capable of powering common website features like multimedia modules and form submissions. And given its long history, JavaScript code snippets are currently available across the internet, in a number of freely accessible libraries and resource bases.

It provides convenient automation – for legitimate and malicious users, alike. Which is why the recent news from Microsoft that the company will be including JavaScript in Excel, its universally popular spreadsheet application, comes as a development of some concern to security experts and researchers.

JavaScript In Excel – Upgrade or Nightmare?

Among the new developments announced at its Build Conference earlier this month, Microsoft unveiled plans for a “custom functions for Excel” feature. It’s intended to enable organizations to use JavaScript in writing their own additions to Excel’s formula catalog. Once written, these custom functions can be made available to end users within the formula catalog, just like any other of the built-in functions such as =SUM() and =LOOKUP().

This feature currently operates with Excel for Windows, Mac, and Excel Online. It’s initially being made available to Office 365 subscribers who are part of the Office Insiders Program.

With custom functions, Excel users will be able in the words of a Microsoft spokesperson to “write custom JavaScript code that looks and behaves like any other function in Excel… enabling you to extend Excel to make it the most flexible tool for processing data, customized to your organizations.”

Microsoft claims that Excel’s new custom functions will be capable of calculating operations, streaming live data, and bringing information from the web to Excel spreadsheets. JavaScript code may be used in integration with Azure Machine Learning services to forecast outcomes and trends using artificial intelligence (AI) capabilities. The further integration of Microsoft Flow (a workflow automation solution) with Excel would enable end users to port data across all Microsoft applications.

JavaScript in Excel – User Convenience vs Security

The inclusion of automated elements within Microsoft Office applications has had a checkered and largely unsatisfactory history. Word macros, for example, have been historically notorious for providing hackers and fraudsters with a convenient avenue for spam generation, the launching of phishing email campaigns, and the distribution of malware.

With its long history and comparative ease of use, JavaScript is an immensely popular programming language, employed extensively in the construction of website components. But if these components aren’t adequately contained and limited in what they can gain access to, they can readily provide attackers with the opportunity to access and manipulate targeted systems, or to execute malicious code.

Within moments of Microsoft’s announcement concerning custom functions for Excel, and their ability to reach beyond an organization’s firewalls, red flags and warning comments began issuing from the cyber-security community at large.

Some observers pointed out the apparent tug-of-war going on within Microsoft itself, as developers working on the kernel, hardware, and edge security conditions of the Windows operating system were having their effort subverted by the Microsoft Office/Excel development team, which by introducing JavaScript and other convenience loopholes have set back the processes of privilege separation and risk mitigation.

JavaScript in Excel – A Vector for Foul Play

Among the major concerns was the potential now available for attackers to insert malicious JavaScript in Excel by attaching it to a file, use the spreadsheet’s outreach capabilities to make external connections for downloading malware, then proceed to wreak havoc on servers and client systems on targeted networks.

Shortly after the Microsoft announcement, security researcher Charles Dardaman was able to demonstrate this potential in a successful proof-of-concept (PoC) experiment.

On his blog, Dardaman explains how he “started to read Microsoft’s actual documentation on how to implement JS within Excel, and decided I could do this myself. I then signed up for an account on and started to download the preview build of Excel for macOS. After over an hour of downloading the preview on my 5mb down internet, I was able to get my hands on it and get Coinhive running within the newest preview build of Excel.”

The Coinhive in question is a cryptocurrency mining tool which, once embedded in an Excel spreadsheet initiates a cryptojacking operation on the host system, using its CPU and resources to mine the Monero cryptocurrency. Dardaman was able to configure his PoC spreadsheet to eat up 50% of the processing power of its host, but could have easily increased this figure – the challenge in a real attack being to limit the siphoning off of the victim’s resources to a level unlikely to be red-flagged by network monitors or security software.

With JavaScript in Excel currently limited to a preview audience of users in Microsoft’s Office Insiders program, the functionality is still relatively slow to implement. But presumably, its ease of use will increase dramatically by the time Microsoft includes this tool within general release versions of its Office software. By which time, hackers and cyber-criminals will be snapping it up like hot cakes, and cooking up fresh schemes and exploits for unwary Office users.

A Working Solution to any JavaScript in Excel Issues

For now, hitting the “Off” button would seem to be the best precaution for wary enterprise users. Charles Dardaman counsels that:

“If you are a Blue Teamer, like me, wondering how to defend against such an attack try to get in front of your IT team and have JavaScript disabled whenever it hits the full Office build. We do not currently know what controls Microsoft will put around JS use, but it will probably be better to just block it before your company becomes dependent upon it.

Depending on your organization’s needs, options you may want to consider are restricting the ability to run scripts or disabling Windows Script Host (which JavaScript and VBScript scripts rely on), altogether.”

Share this Post

Finjan Microsoft Implementing JavaScript In Excel: What Are The Potential Threats?
Article Name
Microsoft Implementing JavaScript In Excel: Are There Potential Threats?
Recent news from Microsoft that the company will be including JavaScript in Excel, its universally popular spreadsheet application, comes as a development of some concern to security experts and researchers.
Publisher Name
Publisher Logo