On Monday at its Build conference in Seattle, Microsoft announced a host of software products and updates related to buzzy technologies like machine learning and mixed reality. But the company also debuted a number of smaller upgrades to existing products, including a new Excel feature that allows users to execute custom JavaScript functions in spreadsheets. That might be helpful for spreadsheet junkies, but it makes security researchers cringe.
The move is well-intentioned; it should make Excel even more powerful and capable by allowing users to integrate expanded information from the web and third-party services—think bank account balances or stock prices. But JavaScript also creates more interconnection and more access points —meaning more points of potential vulnerability. It's already a bit of a web security nightmare . And on top of that, attackers have long shown their willingness to exploit customization and automation features in Excel—and other Microsoft Office programs—to create malicious files for phishing and other attacks. The ubiquity of Microsoft Office files make them the perfect vector for tricking victims and wreaking havoc.
Streamlining the tool for legitimate users could make it more effective for attackers.
"JavaScript opens up another attack vector for malicious documents, and is yet another thing that we as defenders will have to watch out for other than what Excel can already do," says Chase Dardaman, a malware analysis researcher based in Texas. "The main concern is that since JavaScript usage in Excel is so new we do not know what controls Microsoft will put around it. They will need to make it more open and easier to use than it currently is, and that could open up new attack vectors."
JavaScript is an extremely popular programming language, and has been around since 1995. It's often used to power common features on websites like multimedia modules and form submissions. But if JavaScript components aren't contained and limited in what they can access, attackers can potentially exploit them to access and manipulate systems and execute malicious code. In just one example, hackers are known to exploit insecure JavaScript implementations to pull of cross-site scripting (XSS), which lets attackers hijack websites to steal data or serve malware to innocent visitors. JavaScript has also been around for so long that lots of buggy prefab code exists in libraries around the web, and frequently gets incorporated into unsuspecting websites.
https://twitter.com/malwareunicorn/status/993892082459672576
Right now Microsoft has only released the expanded Excel functionality to members of its "Office Insiders" program, so it still has time to refine the implementation. In particular, observers say they hope Microsoft will turn JavaScript execution off by default, so Excel only allows the custom functions to run after specifically prompting a user to approve—or deny—it each time. A company spokesperson said in a statement to WIRED that, "We take the security of our customers seriously, and by design, only trusted logic can execute within the context of a custom function – with appropriate controls to gate usage.”
As the company works on the new feature, analysts are already exploring what attackers could do with it if and when it hits the mainstream market. Within a day of the announcement this week, Dardaman published a proof of concept that showed how the new functionality could be programmed to run the CoinHive cryptomining program through an Excel document. Dardaman was even able to set things up so that the mining quietly relaunched each time a user opened the compromised Excel file.
Thankfully, the pre-release of JavaScript for Excel makes it difficult to share tainted files, but researchers say that protection largely stems from JavaScript for Excel still being in a testing phase. Eventually, Dardaman suspects that Microsoft will refine the feature and make it easier to use. Streamlining the tool for legitimate users could make it more effective for attackers.
"I understand what Microsoft is going for with this, but I believe the harm vastly outweighs the good," says Mitch Edwards, a threat intelligence analyst and researcher. "Accessibility has been put before security for a long time. We in the security community are still trying to get a grip on other attack vectors in the Office Suite, and the addition of JavaScript functionality to Excel adds another tool to the belt of the attacker."
Observers note that a cryptominer isn't the only thing an attacker could program into a JavaScript-enabled Excel file. Phishers and targeted attackers looking to gain access to a system or spread malware could lean on these innocuous-looking file downloads as the jumping off point to achieving a number of goals, from data theft to gaining remote control of a victim's device. Just look at how attackers have exploited the Office automation feature "Macros" for years , building special "Macro malware" to spread in spam emails and ZIP files.
"With all of the badness JavaScript can cause, I'd imagine that Microsoft is going to have to handle it the same way that they handle Macros, which is to have it turned off by default," says Crane Hassold, a threat intelligence manager at the security firm PhishLabs, who previously worked as a digital behavior analyst for the FBI. If the company doesn't, he says, the feature will become popular with "not just phishers, but cyber threat actors in general."
Security
It seems like every time you turn around there's a new breach of personal information. Follow these steps to minimize the damage.