Two more evolving threats: JavaScript in Excel and payment processing in Outlook

In the well-established Office Ready-Fire-Aim tradition, Microsoft adds two new “features” that beg to be abused. Details appeared at Build, and the bad guys already have their keyboards primed.

Windows security and protection [Windows logo/locks]
Thinkstock / Microsoft

Once upon a time – dating back to the first “Concept” macro virus in Word – the Office folks were wary of new features that had possible security implications. But in the past few weeks, we’ve been introduced to two new features that have “Kick Me” written all over them.

First, JavaScript in Excel. I mean, what could possibly go wrong?

Last December, Microsoft published a Dev Center article that talked about using the new Excel JavaScript API to create add-ins for Excel 2016.

The web-based Excel add-ins run inside a browser container that is embedded within the Office application on desktop-based platforms such as Office for Windows and runs inside an HTML iFrame in Office Online.

On May 6, in conjunction with the Build conference, the Dev Center added this document:

Custom functions (similar to user-defined functions, or UDFs), enable developers to add any JavaScript function to Excel using an add-in. Users can then access custom functions like any other native function in Excel (such as =SUM()).

There are lots of technical details, but the idea is that – starting right now in the Excel beta (Office Insider program) – you can write a JavaScript program that’s run much like a user-defined Excel function.

… and the black-hat, white-hat and rainbow-hat crowds went wild. Lawrence Abrams at BleepingComputer posted:

Within days of Microsoft announcing that they are introducing custom JavaScript functions in Excel, a security researcher has developed a way to use this method to load the CoinHive in-browser JavaScript miner within Excel…. When we had reported about the new custom JS functions, it was quickly seen that no matter how useful this new feature may be, people felt it would also be utilized for more nefarious purposes.

Charles Daradaman was first to the post with this:

This morning, I read that Microsoft announced that they have added JavaScript functions into the insiders preview build of Excel…. I even went as far as to offer to a small bounty to anyone at Dallas Hackers who could build and present on it at next month’s meetup…. After making this offer, I started to read Microsoft’s actual documentation on how to implement JS within Excel, and decided I could do this myself. I then signed up for an account on coinhive.com and started to download the preview build of Excel for macOS. After over an hour of downloading the preview on my 5mb down internet, I was able to get my hands on it and get Coinhive running within the newest preview build of Excel.

Just like that.

Then there’s the newly announced “Streamlining payment processes” in Outlook. Mike Ammerlaan writing in the Dev Center explains it thusly:

Many emails in your inbox revolve around completing payment transactions such as paying a bill or invoice.  We will soon be introducing payments in Outlook to help users to pay bills or invoices, right in email, without needing to switch to another app or service.   Powered by Microsoft Pay, payments in Outlook is a fast and secure way to pay from within email.  To start, it will be supported by a number of payment processors including Stripe and Braintree, billing services including Zuora, and invoicing services including FreshBooks, Intuit, Invoice2Go, Sage, Wave, and Xero.  We are also working together to include Fiserv, through the Fiserv Innovation Network.

Businesses that send bills or invoice notifications to customers over email can now embed a payment action within Outlook.  To get started working withpayments in Outlook, please review our documentation.  Note that Outlook is not a bill payment service and Microsoft is not acting as a bill pay agent.

Payments in Outlook will roll out in phases, initially to a limited number of Outlook.com customers over the next few weeks and will be available more broadly in the coming months.

Yeah. What could possibly go wrong?

I’ve been accused in the past of whining about new “features” that seem ripe for painful plucking: “Woody, nobody will ever use that loophole,” and, “You don’t give enough credit to our fancy new security system.” Time and again, I’ve seen those new security systems fail.

What do you think? Join us on the AskWoody Lounge.

First look: Office 2019’s likeliest new features
  
Shop Tech Products at Amazon