|
|
|
|
|
|
by cookiengineer
1595 days ago
|
|
|
> Microsoft takes these kinds of vulnerabilities (...) seriously. Sorry, CVE database disagrees with you when looking at the statistics of how often RCE macro loopholes are found in embedded VBA APIs inside spreadsheets. Some examples: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Excel From those 439 around ~350 are _remote_ execution exploits with their own CVE ID, meaning another VBA API or programming paradigm was affected and downloaded and executed code remotely without the user noticing. I'd argue that "taking this seriously" is the opposite of the sheer amount of those CVE IDs. And these are only the vulnerabilities we publicly know of, there are far worse VBA exploits being traded on dark markets. The reason why Microsoft took so long to deprecate these VBA APIs is that large enterprise-grade organizations do almost everything in Excel. From querying a database server to storing a financial report remotely on a mounted net share drive to even including another external file for the inclusion of modules or methods. It really makes you wannacry. |
|
|
Sure, but there's a difference between having a large codebase to cover and what is being discussed above. Nothing you've said is contrary to GP.
I am willing to counter any bet that Excel formulas will open an external program without prompting.