News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • JavaScript equations coming to Excel. What on earth are they thinking?

    Posted on May 9th, 2018 at 13:28 woody Comment on the AskWoody Lounge

    I was going to let this one fly by, but I just can’t.

    If you’re in the Office Insider program, you can now use custom functions in Excel that are written in… my sweet lord… JavaScript.

    The Office Dev Center describes the functions thusly:

    Custom functions (similar to user-defined functions, or UDFs), enable developers to add any JavaScript function to Excel using an add-in. Users can then access custom functions like any other native function in Excel (such as =SUM()). … Custom functions are now available in Developer Preview on Windows, Mac, and Excel Online.

    My jaw dropped when I heard that in the aftermath of a Build presentation yesterday. In fact, I figured I heard it wrong. But no.

    What’s wrong with making JavaScript available as an in-the-sheet programming language? As Lawrence Abrams at BleepingComputer notes, “within hours” a security researcher, Chase Dardaman, figured out a way to put the CoinHive in-browser JavaScript miner inside a spreadsheet.

    As if 25 years of macro malware wasn’t enough.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums JavaScript equations coming to Excel. What on earth are they thinking?

    This topic contains 29 replies, has 20 voices, and was last updated by

     Mr. Natural 10 months, 2 weeks ago.

    • Author
      Posts
    • #191232 Reply

      woody
      Da Boss

      I was going to let this one fly by, but I just can’t. If you’re in the Office Insider program, you can now use custom functions in Excel that are writ
      [See the full post at: JavaScript equations coming to Excel. What on earth are they thinking?]

      4 users thanked author for this post.
    • #191237 Reply

      AlexEiffel
      AskWoody_MVP

      When I often say I don’t want a constant flux of new features that I need to review to make sure I really don’t want to disable them because I can’t trust Microsoft judgment of what default settings and new features I should have…

      There’s always someone to have a bad great idea somewhere that someone should veto. Please, I don’t want to be excited by new features, I just want to continue using my working computer without fear of your updates.

      9 users thanked author for this post.
    • #191240 Reply

      anonymous

      Doesn’t Excel already provide VBScript, and isn’t that Turing complete? What prevents that from being used to mine crypto? Couldn’t they just convert from JScript to VBScript?

    • #191248 Reply

      Jan K.
      AskWoody Lounger

      As Lawrence Abrams at BleepingComputer notes, “within hours” a security researcher, Chase Dardaman, figured out a way to put the CoinHive in-browser JavaScript miner inside a spreadsheet.

      Ah, come on!

      Surely Microsoft and the most secure OS ever (!) easily handles such minute and trivial details…

      Sigh.

      1 user thanked author for this post.
    • #191249 Reply

      Mr. Natural
      AskWoody Plus

      You know what has always bothered me is that it seems that the only web sites still requiring java are web sites that should have the highest level of security possible. This includes corporate banking sites (not consumer), online trading programs, HR portals to name a few. Crazy is the new norm in everything it seems.

      Red Ruffnsore reporting from the front lines.

      2 users thanked author for this post.
      • #191272 Reply

        Ascaris
        AskWoody_MVP

        You know what has always bothered me is that it seems that the only web sites still requiring java are web sites that should have the highest level of security possible.

        My bank does require Java for certain functions, and then it yells at me for using an “unsupported” browser, which I have to use if I am going to use 32-bit Java in the first place.

        I’ve tried to use Waterfox (which still allows Java, but is exclusively 64-bit), but the applet won’t run.  It fails with a warning that I need to use a 32-bit browser!  And if that was not bad enough, I have to run the Java applet in Windows; it does not work in Linux natively.

        What I’ve done is to set up a VM containing a 32-bit Firefox ESR installation with the Java plugin with its own dedicated profile.  That Firefox is only allowed to visit the IP(s) associated with the bank… it (the browser and the VM) gets closed immediately after doing whatever the banking thing was, and remains dormant until the next banking thing.

         

        Group "L" (KDE Neon User Edition 5.15.3 & Kubuntu 18.04).

        1 user thanked author for this post.
        • #191424 Reply

          hitokage
          AskWoody Lounger

          I had this issue too – Java app to scan checks for e-deposit. Initially I thought it was because they didn’t want to confuse anybody with 32-bit versus 64-bit Java, so I set the user agent sent to pretend to be 32-bit. However the Java app doesn’t work with 64-bit Java.

          This is messed-up for many reasons:
          Java apps were supposed to be able to run on anything, but don’t necessarily (libraries)
          Chrome hasn’t supported NPAPI for quite awhile
          Mozilla blocked all NPAPI plug-ins except for Flash (except for the current ESR version – until it reaches EOL)
          Mozilla (like Google) moved those on a 64-bit OS to 64-bit browser about a year ago

          I use 64-bit Pale Moon, although I did have to install a copy of the 32-bit version for this reason.

      • #191302 Reply

        Karlston
        AskWoody Plus

        Javascript ain’t Java.

        If we banned everything that’s been abused or is capable of being abused, we’d all be sitting stark naked, on bare earth, in the dark. 🙂

        Hanlon's Razor: Never attribute to malice that which can be adequately explained by stupidity.

        • This reply was modified 10 months, 2 weeks ago by
           Karlston.
        5 users thanked author for this post.
        • #191459 Reply

          AlexN
          AskWoody Lounger

          I can bash your head against the bare earth.  I still found a way to deliver abuse in spite of all thoughts contrary.

          I should go work for Microsoft.

          Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
          A weatherman that can code

          1 user thanked author for this post.
    • #191259 Reply

      anonymous

      Anything that can be touted as innovation will be used to convince users that they should continue paying for feature bloat.  Its all consistent with the fact that Microsoft has it’s head in the Cloud(s).

      3 users thanked author for this post.
      • #191388 Reply

        GoneToPlaid
        AskWoody Plus

        And that may be exactly why Microsoft wants to back Javascript into Excel — to allow hidden “edge computing” on all of your computers.

        2 users thanked author for this post.
    • #191282 Reply

      Noel Carboni
      AskWoody_MVP

      Woody, were you imagining that Microsoft doesn’t want vulnerabilities in their software?

      How on Earth would they lock people into their update ecosystem if they didn’t introduce new vulnerabilities?

      -Noel

      4 users thanked author for this post.
    • #191293 Reply

      John
      AskWoody Lounger

      Sort of like installing a expensive alarm system in a car, then leaving the keys in the ignition.

      3 users thanked author for this post.
    • #191301 Reply

      cesmart4125
      AskWoody Plus

      I’m still on Office 2010.  Will this affect my version of Excel?  If so, please let me know which update this is so I can hide it.

      Thanks in advance for your informing me of the “update. ”

       

      2 users thanked author for this post.
      • #191375 Reply

        Bill C.
        AskWoody Plus

        From my read of the article and the comments and questions, the author says MS is not go9ng to support Office 2013. So I will guess that leaves Office 2010 alone also. Not sure from the article whether it will be a standard package or if it will remain opt-in or by adding a feature. THe article said it will be able to be disabled.

        4 users thanked author for this post.
    • #191314 Reply

      anonymous

      You’re not making the things we *really* want, Microsoft. How about making a secure and STABLE operating system that doesn’t silently install updates against my will in the background and then rudely interrupt me when I’m trying to do work to install a computer-bricking update?

      It’s a good thing I use Google Docs, Sheets, and Slides now. The only reason why I have Office 365 on this computer is because my school offered it to me for free (well as part of my tuition… perks of being a student!).

      2 users thanked author for this post.
    • #191324 Reply

      anonymous

      Hey Microsoft — Just because something can be done doesn’t mean its a Good Idea!

      1 user thanked author for this post.
    • #191333 Reply

      zero2dash
      AskWoody Lounger

      Well, LibreOffice and OpenOffice can do JavaScript, though I’m sure it’s locked down tighter than anything MS would implement, just because – it’s MS. Another attack vector? Sure, why not! o.O

      3 users thanked author for this post.
    • #191336 Reply

      anonymous

      One of the reasons why I still use Microsoft Works 9 (I have the source CD still with the plastic box it came in, too).  And yes it installs on and works with Windows 10 version 1709. Microsoft just gives me Office 2007 suite SP3 updates to make it run correctly. All I use it for is the spreadsheets.

       

      • #191393 Reply

        GoneToPlaid
        AskWoody Plus

        I still use MS Works 4.5a for some stuff — simply because it is so quick and convenient for initial spreadsheet and doc creations. And it actually calculates results correctly within spreadsheets.

        1 user thanked author for this post.
      • #191810 Reply

        MrJimPhelps
        AskWoody_MVP

        Wordpad is a great word processor for most documents. And it is free and comes with Windows, including Windows 10.

        Interestingly, if you click About from within Wordpad, it tells you that the program name is “Windows 10”. In other words, Microsoft treats it like it is part of Windows. The same thing happens if you click Help / About from within Notepad – it tells you that it is “Windows 10”.

        Group "L" (Linux Mint)
        with Windows 8.1 running in a VM
        1 user thanked author for this post.
    • #191344 Reply

      OscarCP
      AskWoody Plus

      Three questions, because this is not entirely clear to me:

      (1) Is this an issue with all versions of Excel, from Office 2003 on?

      (2) Is this only an issue if one installs some new addons on E 11 and if so, which ones in particular?

      (3) Is this an issue in one installs a new Windows 7 patch and, if so, which one?

      My thanks, in advance, to any one that answers them.

       

      1 user thanked author for this post.
    • #191346 Reply

      lurks about
      AskWoody Lounger

      Why not use Python or Ruby which are both much better designed languages than JavaScript. JS has to be one of the most incompetently designed programming language released in the last 25 years in general use. But incompetence is nothing new with MS.

      1 user thanked author for this post.
      • #191442 Reply

        MrJimPhelps
        AskWoody_MVP

        Think QBASIC, if you want to know about an incompetently-designed programming language. For decades it seemed, QBASIC was the default programming language distributed by Microsoft and used by many.

        Group "L" (Linux Mint)
        with Windows 8.1 running in a VM
        • #191508 Reply

          lurks about
          AskWoody Lounger

          Edgar Dysktra commented on the original BASIC that anyone who learned “programming” on BASIC was a lost cause. I never had the misfortune to use QBASIC but have had to deal with the imbecilities of IdiotScript.

          • #191518 Reply

            MrJimPhelps
            AskWoody_MVP

            You could define variables on the fly. Misspell a variable name, and you’ve got yourself a new variable! Only way to prevent that was to declare “Option Explicit”. Microsoft should have made Option Explicit the default, and made the programmer specifically declare “Option Implicit” (or whatever it is called) if they wanted to have things the old way.

            Also, QBASIC defaulted to a two-digit year as we were getting within a few years of Y2K, even though Y2K was a big concern at that time. Microsoft should have changed the default to a four-digit year. This wouldn’t have affected anything except for new code, and it would have been an easy fix.

            Group "L" (Linux Mint)
            with Windows 8.1 running in a VM
            • #191584 Reply

              anonymous

              This is going off topic by a wide margin…

              QBASIC came with DOS version 5.0 in 1991, hard to believe that was 27 years ago.

              I’ve seen some folks’ works that did neat things using QBASIC but could have used some (or more) formal teaching about programming properly. It was good to have it included with DOS for people who didn’t know about C, Pascal or other languages allowing folks to express themselves.

        • #191812 Reply

          Mr. Natural
          AskWoody Plus

          A long time ago I used Qbasic all the time….to play gorilla.bas of course!

          Red Ruffnsore reporting from the front lines.

    • #191347 Reply

      Cartoonist Aaron
      AskWoody Lounger

      I think it’s evidence of Microsoft’s bigger problem that a new feature can be, and is, met with the assumption that the new feature is unsafe. (and it doesn’t help that the assumption is apparently correct.)

      2 users thanked author for this post.
    • #191415 Reply

      radosuaf
      AskWoody Lounger

      Isn’t coming to my Office 2007 :).

      MSI H110 PC MATE * Intel Core i5-6402P * 2 x 8 GB Corsair Vengeance LPX DDR4 2133 MHz * Gigabyte GeForce GTX 1050 Ti D5 4G * Samsung 840 EVO 250GB SSD * Western Digital Blue 1TB HDD * Seagate Barracuda 1TB HDD * DVD RW Lite-ON iHAS 124 * Creative X-Fi XtremeGamer PCI * Windows 10 Pro 1809 64-bit
      1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: JavaScript equations coming to Excel. What on earth are they thinking?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: