Microsoft Excel ads custom JavaScript support, and it only takes days to be used for mining crypto currency

A recent update Microsoft published to Excel to add custom JavaScript support has gone wrong. As most figured after showing off the demo that included adding custom JavaScript to the document.

Office developers have been wanting to write JavaScript custom functions for many reasons ~ Microsoft during Build 2018 developer conference

Many computer researchers on Twitter wondered how soon before it will be abused, but it did not take long for Chase Dardaman to figure it out. Within hours he had Excel running Coinhive. Coinhive is a JavaScript crypto currency mining script that normally allows websites to mine for coins on a users browser.

 

The real question is why Microsoft chose to add JavaScript support when it knows it can be abused to run code in a document and be shared around. The good news this is just a option so it cant be abused at this time, but researchers are good at finding ways around restrictions.

Dardaman has created a blog post about making Excel run a crypto miner on his blog that you can read at https://charles.dardaman.com/js_coinhive_in_excel.