Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Two more evolving threats in Office: JavaScript functions in Excel and Payment Processing in Outlook

    Home Forums AskWoody blog Two more evolving threats in Office: JavaScript functions in Excel and Payment Processing in Outlook

    This topic contains 8 replies, has 8 voices, and was last updated by  TXWizard_2018 4 months, 1 week ago.

    • Author
      Posts
    • #191747 Reply

      woody
      Da Boss

      Microsoft’s Build 2018 was a snoozer if ever there was, but two new Office “features” stand out. Not because they’re good. Because they’re just beggin
      [See the full post at: Two more evolving threats in Office: JavaScript functions in Excel and Payment Processing in Outlook]

      4 users thanked author for this post.
    • #191789 Reply

      Mr. Natural
      AskWoody Lounger

      Nothing to be concerned about. Everything is fine.

      Attachments:
      You must be logged in to view attached files.
      2 users thanked author for this post.
    • #191793 Reply

      Microfix
      AskWoody MVP

      Why not facilitate adobe flash insertion also… jobsecurity@microsoft.con

       

      | W8.1 x64 | Linux x64 Hybrid | W7 Pro x64 | XP Pro/ Home Offline
        No problem can be solved from the same level of consciousness that created IT - AE
      3 users thanked author for this post.
    • #191794 Reply

      OscarCP
      AskWoody Lounger

      Question:

      (a) If one did not install Excel add-ins and planed never, ever to install any, then one should have no problems caused by their JavaScript related vulnerabilities?

      (b) Or are those problematic add-ins included in the monthly Office patches, so they get installed along with the patches, whether one likes it or not?

       

      4 users thanked author for this post.
      • #191795 Reply

        woody
        Da Boss

        As yet unknown, but it looks like the JavaScript routines may arrive inside spreadsheets, and support for them may come from Office (and/or Windows?) updates.

        2 users thanked author for this post.
    • #191798 Reply

      Charlie
      AskWoody Lounger

      Two additional questions:

      1.  What is “Build 2018”?

      2.  Will these JavaScript functions be applied to ALL versions such as Office 2010?

      Never a dull moment anymore!

      Win 7 Home Premium, x64, Intel i3-2120 3.3GHz, Group B

      1 user thanked author for this post.
    • #191886 Reply

      lurks about
      AskWoody Lounger

      MS must operate on the principle of ‘security by stupidity’. If it is so stupid the black hats will not abusing our stupidity, yea right. Macros are a bad idea in 2018 no matter what the language and now add a notorious bad language to the mix, below stupid. Payment through Outlook is going to be abused by scammers very quickly, again below stupid. I wonder if MS has thought through the potential liability they might be incurring with such a scheme. Companies and people should keep a gap between the invoice and payment. If you get an invoice, make sure you have the supporting documentation it is legit and if paying online way not directly go to the vendor’s site and pay there.

      1 user thanked author for this post.
      • #191926 Reply

        anonymous

        If MS could be appropriately punished by fines and sued by companies/individuals, they’d soon stop releasing these type of garbage features.

        The sooner commercial software companies can be subjected to the same standards that companies that make real products are (e.g. car makers), the sooner we’ll see actual improvements in code security and stability.

        -lehnerus2000

        4 users thanked author for this post.
    • #192709 Reply

      TXWizard_2018
      AskWoody Lounger

      OK, let’s back up a bit. Presumably, the new JavaScript functions will work only in macro-enabled workbooks, as do today’s VBA macros.

      With regard to both macro-enabled workbooks and add-in libraries, there are ample security measures to help you protect yourself from the bad guys. If you don’t use them, that’s no fault of Microsoft, which has both provided and documented them. Among the many safety measures are the following.

      • By default, macros won’t run in anything that arrived over the Internet bearing the Mark of the Web.
      • By default, only digitally signed macros run, whether or not the document from which they are loaded bears the Mark of the Web.
      • By default, VBA projects must be digitally signed by a publisher who belongs to a Trusted Publishers list.
      • By default, the only Trusted Publisher is Microsoft, and maybe another publisher or so whose products are included with Office.
      • Many mail servers disallow macro-enabled workbooks as attachments.
      • Unless I’ve missed a recent change, JavaScript runs in a sandbox. While the Node/JS sandbox is pretty liberal, the last time I checked (maybe two weeks ago), the JavaScript interpreter in Chrome is sandboxed, and the file system is off limits. The only way that I could find to read a file was by loading it from the Web server, via XMLHTTPRequest.

      Finally, for what it’s worth, the addition of JavaScript is driven by competition; Google Sheets had it in late 2016, and probably much earlier. I learned about this when a colleague at Bank of America told me that he writes JavaScript code in his Google Sheets workbooks.

      David A. Gray

      Designing for the Ages, One Challenge at a Time

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Two more evolving threats in Office: JavaScript functions in Excel and Payment Processing in Outlook

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.