Well, that didn’t take long.
A few minutes after writing about the potential risks that might be introduced by Microsoft announcing JavaScript support in Excel custom functions, I wondered out loud how long it might take for someone to get a spreadsheet to mine for cryptocurrency.
How long until the first cryptomining Excel spreadsheet? https://t.co/I4r1xQcYlq
— Graham Cluley (@gcluley) May 8, 2018
Turns out I wasn’t the only one to have that idea.
Security researcher Charles Dardaman explains on his blog, how he was able to use Microsoft’s own documentation of how to use JavaScript functions in the Insider Preview edition of Excel to link a spreadsheet to the Coinhive cryptomining service.
Right now, JavaScript in Excel custom functions is only supported in the Developer Preview edition to Office 365 subscribers enrolled in the Office Insiders program. But it seems inevitable that in the not too distant future it will be available in more widely-used versions of Excel as well.
We don’t know what security measures Microsoft will put in place to try to prevent abuse of the functionality, or indeed how well they will work.
For now, here’s Durdaman’s advice:
If you are a Blue Teamer, like me, wondering how to defend against such an attack try to get in front of your IT team and have JavaScript disabled whenever it hits the full Office build. We do not currently know what controls Microsoft will put around JS use, but it will probably be better to just block it before your company becomes dependent upon it.
"Microsoft’s own documentation" !!!!
Yikes. Sad to hear