Security News

Microsoft Office for Mac, iOS and Windows to Include JavaScript in Excel

Posted on May 11th, 2018 by

Microsoft Office to Include JavaScript in Excel

Microsoft has announced that users will be able to use JavaScript to write macros in Excel, the spreadsheet software that is part of Microsoft Office. The company said:

Developers and data scientists can now to execute custom functions locally in JavaScript or with Microsoft Azure Machine Learning services to create their own powerful additions to Excel’s catalog of formulas. […] The best part is that those same functions will work everywhere add-ins do: on PC, Mac, and iPad, and in Excel Online.

Excel already has a rich library of functions that make it a powerful tool for manipulating data. Microsoft says that Excel users have long wanted JavaScript support, notably be bring in live data from the internet, such as stock prices or bank balances. This addition of JavaScript will enhance the power and flexibility of Excel, but, unfortunately, this may also open Excel up to potential malware.

It wasn’t long before someone put this to the test. Charles Dardaman created a proof of concept tool, using the processor on a computer running a spreadsheet with some JavaScript code in it to mine cryptocurrency. We discussed the problems with Bitcoin malware on the Intego Mac Podcast in episode 5, pointing out how this malware can use your computer’s CPU or GPU to earn money for someone else.

Microsoft Office has long supported macros in Office, using the VBScript language. And because of this, macro viruses—malware created with this macro language, and distributed in infected Word and Excel files—have long been a serious malware problem on both Mac and Windows. This is more problematic because these macros run on both platforms, leading to broad dissemination. (Here’s one example of recent malware that circulated last year via Word and Excel macros.)

JavaScript is a powerful scripting language that is widely used on websites. In fact, most websites use JavaScript, and it is an essential tool, together with HTML, for website design. There are some risks, and JavaScript is already being used to mine cryptocurrency when it is injected into web pages; if your Mac’s fan speeds up when you visit a webpage, or if your iPhone suddenly gets very warm when you’re viewing a webpage, it could be because of this.

While the features that JavaScript can add to Excel spreadsheets are interesting, it’s important to be careful and not open files you receive from others if you’re not sure that they are safe. Word and Excel macro viruses have, in the past, copied themselves into your templates (.dot files for Word, and .xlt files for Excel), which then allowed them to be copied into other files you create and open. Because of this, macro viruses can spread quite easily; however, they don’t affect anything other than Word or Excel files.

JavaScript support is available in developer previews of Microsoft Excel, for Mac or Windows, and in the online version of Excel, and will have a general release soon. You can learn more about how to use JavaScript in Excel here.

About Kirk McElhearn

Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →