Oh shit.

Excel adds JavaScript support.

As if macro viruses weren't enough now we can worry about spreadsheets having crypto-mining malware.

This is not the future I signed up for.

I'm never opening an excel file in excel ever again.

@craigmaloney I literally giggled. I can’t wait to see how this is abused.

@craigmaloney *headdesks so hard he manages to phase through the desk and lands on the floor*

@craigmaloney @vickysteeves You're thinking of it all wrong, Excel is a platform for macro malware and exploits, this is just Microsoft modernizing so malware authors don't have to learn VBScript anymore since JavaScript has replaced VB everywhere else as the lazy malware lingua franaca. It's very pro-developer!

@craigmaloney At least the code will be cleaner that vbcrap# makes me feel ill


I'm pretty sure that if there were a way to effectively crypto-mine in Excel, it would have already happened. JavaScript is Just Another Scripting Language at this point.

@suetanvil Perhaps, but before you were limited to what Excel supported with VBA. Having a full-on JavaScript engine in there makes me wonder what they could do.

It'll be interesting to see what plays out, but I'm pessimistic that it won't add a new vector for misuse.

@craigmaloney the sad part is this means libreoffice will have javascript in a version or two :(

@craigmaloney According to @Hairyears, VB Script has been in there for aaaaages; so, this is not a new risk.

Excel is his bread and butter, so he'd know.

@artsyhonker @Hairyears Right, I remember the first iteration of Word macro viruses flitting about on our network at Ford. They have locked things down for VBA (mostly by making it so they don't auto-run). But VBA was a bit stripped down in capabilities (last I remember playing with it) so adding a full-on JavaScript engine in there with a bunch of folks who understand JavaScript is where my pessimism begins.

@craigmaloney @artsyhonker @Hairyears

VBA can make the Windows API MemCopy 'RTL' call. After that, everything is possible.


I read that Reddit post until it degenerated into a 'WeHateVBA' thread... Which wasn't very far in.

Microsoft will be running the JS through their own 'Chakra' engine and they will make *some* attempt at sandboxing and lockdown.

Plus the 'no macros and scripts' option they've had - and needed to do better - for decades with VBA and the *native* vbscript support in Excel since 2003.

So there's nothing new here, except the sheer volume of JS malware out there.


The major problem is the same old problem: everything in Excel is done by non-programmers and its made too easy for them - even easier than PHP - to write terrible code that looks as if it's working.

Now add 'Security-Oblivious and they're using js' to the brew.

Some things in Excel are done by experienced developers, using VBA as the 'visual shell' language to deliver functionality running in C#, C++, Java, Python. That works very well but...

You can call *anything* in Excel.

@craigmaloney @Hairyears

So the short version is: this isn't new.

VBA and VB and VBScript exist because Microsoft wanted everyone to be able to code, and Excel exists as an easy UI for them to import functionality from anything, anywhere, any way they want.

Making it even easier to do that with JS isn't new.

It all boils down to the quality of the Chakra JS engine's sandbox, and Microsoft's willingness to police the scripts that they allow to run.

...Which is to say: I share your pessimism.

@craigmaloney Maybe it's really high time to dump excel? 🐱

@samae @craigmaloney Unfortunately the only alternative the majority of enterprises will realistically use is Google docs, which I believe already supports JS.

Sign in to participate in the conversation

Octodon is a nice general purpose instance. more