May 9, 2018

Javascript-Enabled Excel: A Wonder or a Worry?

Javascript is a term that most people will have heard of, as it’s a core component of the Internet we use every day. However, the non-programmers among us might not know much about it. Along with HTML and CSS, Javascript (or JS as it’s usually shortened to), is one of the three core technologies of the web we see today. It helps web applications work, and so provides a lot of the interactivity we see on websites. All major browsers have a JS engine to run it, and as well as online it has a host of other uses, both server side and on our desktops.

First developed in 1993 by NASCA and included in some of the very first browsers like Mosaic, Netscape and Mozilla, JS has an illustrious history within the development of the World Wide Web, and it could be argued that it is one of the most important development languages around.

So, it was with some interest that Microsoft announced that Excel, the ubiquitous spreadsheet tool, was to have JS support. But what exactly does this mean, and why are some people worried by it? Firstly, the integration of JS into Excel means that a whole host of new functions can be added. Whilst most people use Excel for simply running the household finances or keeping track of things at work, it is actually a powerful and flexible tool, with a huge range of uses. The addition of JS means that users are able to write custom functions, whether that be to import bank feeds directly, stream live data or code complex maths operations. It makes what is already a powerful program much, much more powerful.

However, it is this integration of web-based data that has some people worried. Whilst it will mean you can live-update parts of your spreadsheet, it also means that maliciously minded developers have a much easier way into your machine. Security researchers have found numerous instances of compromised Javascript libraries online, and the fear is that this malicious code could easily make its way onto machines running JS enabled Excel, which may soon are everywhere.

There are some wonderful examples of Excel errors, some both famous and costly, but the fear is that these simple mistakes could be overtaken by a more nefarious style of attack. One particular security researcher recently posted on Twitter that he had already managed to get the Coinhive attack (a bug that secretly utilises your CPU to mine cryptocurrency when certain websites are visited) to run through a custom JS function, and whilst this version of Excel is currently only in private Beta testing, it points the way of things to come.

So, despite the obvious benefits of having JS enabled Excel running on your machines either at home or at work, be careful out there, and make sure you’re both keeping your antivirus definitions up to date and not using compromised libraries online.


Click Here to Leave a Comment Below

Leave a Reply: