![](\"https:\/\/images.idgesg.net\/images\/article\/2018\/02\/windows_security_safety_protection_encryption_locks_thinkstock_831741980-100749419-large.3x2.jpg\"\/)
<\/p>\n
Credit to Author: Woody Leonhard| Date: Fri, 11 May 2018 09:04:00 -0700<\/strong><\/p>\n Once upon a time \u2013 dating back to the first \u201cConcept\u201d macro virus in Word \u2013 the Office folks were wary of new features that had possible security implications. But in the past few weeks, we\u2019ve been introduced to two new features that have \u201cKick Me\u201d written all over them.<\/span><\/p>\n First, JavaScript in Excel. I mean, what could possibly go wrong?<\/span><\/p>\n Last December, Microsoft published a <\/span>Dev Center article<\/span><\/a> that talked about using the new Excel JavaScript API to create add-ins for Excel 2016. <\/span><\/p>\n The web-based Excel add-ins run inside a browser container that is embedded within the Office application on desktop-based platforms such as Office for Windows and runs inside an HTML iFrame in Office Online.<\/span><\/p>\n On May 6, in conjunction with the Build conference, the Dev Center <\/span>added this document<\/span><\/a>:<\/span><\/p>\n Custom functions (similar to user-defined functions, or UDFs), enable developers to add any JavaScript function to Excel using an add-in. Users can then access custom functions like any other native function in Excel (such as <\/span>=SUM()<\/span>).<\/span><\/p>\n There are lots of technical details, but the idea is that \u2013 starting right now in the Excel beta (Office Insider program) \u2013 you can write a JavaScript program that\u2019s run much like a user-defined Excel function. <\/span><\/p>\n \u2026 and the black-hat, white-hat and rainbow-hat crowds went wild. Lawrence Abrams at BleepingComputer <\/span>posted<\/span><\/a>:<\/span><\/p>\n Within days of Microsoft announcing that they are introducing <\/span>custom JavaScript functions in Excel<\/span><\/a>, a security researcher has developed a way to use this method to load the CoinHive in-browser JavaScript miner within Excel\u2026. When we had reported about the new custom JS functions, it was quickly seen that no matter how useful this new feature may be, people felt it would also be utilized for more nefarious purposes. <\/span><\/p>\n Charles Daradaman was <\/span>first to the post<\/span><\/a> with this:<\/span><\/p>\n This morning, I read that Microsoft announced that they have added JavaScript functions into the insiders preview build of Excel\u2026. I even went as far as to offer to a small bounty to anyone at Dallas Hackers who could build and present on it at next month\u2019s meetup\u2026. After making this offer, I started to read Microsoft\u2019s actual documentation on how to implement JS within Excel, and decided I could do this myself. I then signed up for an account on coinhive.com and started to download the preview build of Excel for macOS. After over an hour of downloading the preview on my 5mb down internet, I was able to get my hands on it and get Coinhive running within the newest preview build of Excel.<\/span><\/p>\n Just like that.<\/span><\/p>\n Then there\u2019s the newly announced \u201cStreamlining payment processes\u201d in Outlook. Mike Ammerlaan writing in the Dev Center <\/span>explains it thusly<\/span><\/a>:<\/span><\/p>\n Many emails in your inbox revolve around completing payment transactions such as paying a bill or invoice. \u00a0We will soon be introducing payments in Outlook to help users to pay bills or invoices, right in email, without needing to switch to another app or service.\u202f \u00a0Powered by <\/span>Microsoft Pay<\/span><\/a>, payments in Outlook is a fast and secure way to pay from within email. \u00a0To start, it will be supported by a number of payment processors including Stripe and Braintree, billing services including Zuora, and invoicing services including FreshBooks, Intuit, Invoice2Go, Sage, Wave, and Xero. \u00a0We are also working together to include Fiserv, through the Fiserv Innovation Network.<\/span><\/p>\n Businesses that send bills or invoice notifications to customers over email can now embed a payment action within Outlook.\u202f To get started working withpayments in Outlook, <\/span>please review our documentation<\/span><\/a>. \u00a0Note that Outlook is not a bill payment service and Microsoft is not acting as a bill pay agent. <\/span><\/p>\n Payments in Outlook will roll out in phases, initially to a limited number of <\/span>Outlook.com<\/span><\/a> customers over the next few weeks and will be available more broadly in the coming months. <\/span><\/p>\n Yeah. What could possibly go wrong?<\/span><\/p>\n I\u2019ve been accused in the past of whining about new \u201cfeatures\u201d that seem ripe for painful plucking: \u201cWoody, nobody will ever use that loophole,\u201d and, \u201cYou don\u2019t give enough credit to our fancy new security system.\u201d Time and again, I\u2019ve seen those new security systems fail.<\/span><\/p>\n What do you think? Join us on the <\/span><\/i>AskWoody Lounge<\/span><\/i><\/a>.<\/span><\/i><\/p>\n