A virtual currency mining script is embedded immediately by exploiting the JavaScript custom function added to Excel

Microsoft announced May 7, 2018 that adding JavaScript custom functions to ExcelAnnouncementHowever, a security demonstration demonstration demonstration demonstrating the virtual currency mining script by exploiting this function is done by security experts.

JavaScript Coinhive in Excel - Charles Dardaman
https://charles.dardaman.com/js_coinhive_in_excel

Microsoft Adds Support for JavaScript in Excel - What Could Possibly Go Wrong?
https://thehackernews.com/2018/05/javascript-function-excel.html

Javascript custom functions are now supported in the Insider program's Excel (build 9325) so that developers can extend Excel's built-in function set.


Security researcher Charles Dirderman immediately tried to embed this mining script of the tool "CoinHive" that monetizes by virtual currency mining within the Excel spreadsheet by exploiting this function, it seemed to have succeeded successfully.

GOT IT!# coinhive#Excel# Microsoft#Malwarepic.twitter.com/QvHkgnGFkQ

- Chase Dardaman (@ CharlesDardaman)May 8, 2018

To participate in the procedure, "Join the Office Insider program and install build 9325 (13.329 for Mac) Excel" → "Launch the Excel add-in as instructed in the report's README.md and change and debug the code "→" Enter "= CONTOSO.ADD 42 (1, 2)" in an arbitrary cell and press the enter key to activate the custom function ". Dadaman reports that it has easily succeeded in embedding mining scripts easily with "only added functionality as documented by Microsoft".

The API itself that executes the JavaScript custom function is not started immediately after opening the spreadsheet, but you need to manually load and execute the JavaScript function using the Excel add-in function. Also, if you try to execute a JavaScript function in an Excel spreadsheet connected to an external server, permission to connect is requested, so it seems to prevent the execution of illegal code.

For this reason, it is said that until the method of executing the virtual currency mining script that exploits the JavaScript custom function without operation on the user side is devised, it does not become the situation that "it was being mined before it was known" For now it seems not necessary to be overly sensitive.