back to article Cisco’s Talos security bods predict new wave of Excel Hell

It took a few years and one temporary halt, but in July Microsoft finally began blocking certain macros by default in Word, Excel, and PowerPoint, cutting off a popular attack vector for those who target users of Microsoft's Windows OS and Office suite. While recent versions of Office block Visual Basic for Applications (VBA) …

  1. Woodnag

    Workaround

    Change the default program for .xll to Notepad or similar. Create or copy a text file to the desktop, then change suffix from .txt to .xll. Right click the file, and change the default program. Job done, snarf down some Fuller's London Pride to (ex)celebrate.

    1. Anonymous Coward
      Anonymous Coward

      Re: Workaround

      Avoid Microsoft softrware altogether, and you strip a massive attack footprint from your infrastructure. Cheaper too..

      1. Christopher Reeve's Horse

        Re: Workaround

        Avoid flying altogether, and strip a massive risk of being in an aviation accident from your life. Cheaper too.

        I mean yeah, but...

        Yes, yes, I know there are many alternatives to a lot of MS products, but they ain't always possible, feasible, practical, etc.

        1. Anonymous Coward
          Anonymous Coward

          Re: Workaround

          That's merely stating the very fact that Microsoft would not want anyone to talk about. Annoying, I know :).

        2. Michael Wojcik Silver badge

          Re: Workaround

          And as long as businesses insist on putting Microsoft Office on every damn end-user machine, we'll need workarounds like changing the handler for .XLL. (I believe such a change could be pushed via Group Policy, though I haven't actually tried it.)

    2. Frank Bitterlich

      Re: Workaround

      ... until next week when MS comes up with a new version of Notepad that can actually use XLL files.

      It's laughable that in 2022 MS still thinks letting anybody execute arbitrary code packaged in a nice litte file that you can send by email is a good idea.

  2. Nevermind

    Meanwhile a major UK defence contractor is busy converting all its forms, docs and reports to excel and circulating around its supply chain and partner orgs...wonder what'll happen when an infection occurs?

    1. Anonymous Coward
  3. Anonymous Coward
    Anonymous Coward

    "They exist to let third-party apps add extra functionality to the spreadsheet"

    There's your problem!

    1. ThatOne Silver badge

      Hacking is an extra functionality all right. All is going according to (marketing) plan.

    2. Michael Wojcik Silver badge

      "Excel is already a nightmare of ill-conceived misfeatures, but what if we added more misfeatures?"

  4. Anonymous Coward
    Anonymous Coward

    Can somebody working in corporate explain why companies still use Microsoft excel?

    LibreOffice is a fine substitute and I have no problems performing advanced functions, including macros, without my machine being compromized or vulnerable. The list of CVEs for LibreOffice is low too.

    Isn't a win win for corporates just to use LibreOffice, even if just for spreadsheets?

    1. Anonymous Coward
      Anonymous Coward

      You're looking at the side effect of the entanglement that using Microsoft products brings along to ensure later migration will be too costly.

      It's a mix of interdependencies, absence of open standards and any anti-competitive measure they can get away with. Add to that their wining and dining of government officials, law makers and high end people in companies who have no clue but do have budgetary and decision power, some law breaking and IP theft and you have a Hotel California model that has been in play for some four decades now.

      That's why it's always better to start a company on open principles, as converting later is possible but your motivation will then not be cost because the untangling prior to conversion will burn a lot of money to. The best arguments for later conversion are massive risk reduction, better resilience and higher productivity. And pragmatically, freedom doesn't count - it's a nice factor, but it's hard to translate to tangible numbers on a spreadsheet.

    2. Michael Wojcik Silver badge

      I can't even imagine how much grief our IT department would get from the non-security-conscious users – which is by far the majority of them – if they tried to replace any of the Office suite with alternatives.

      In one of our products, we replaced a couple of inconsistent, awkward, unsafe, generally lousy web administration UIs with a single UI that was developed under good SDLC practices, follows accessibility guidelines like §508 and WCAG, is internally consistent, and offers a lot more functionality. Years ago. Many users insist on re-enabling the legacy UIs and using those instead, despite their many disadvantages. People do not want to change from the tools they're used to, even – or particularly – to be more secure.

  5. ThatOne Silver badge
    Devil

    Perfect bait

    > "Details of Project Marketing Plan and Facebook Google Ads Results Report."

    OMG, marketing will be all over that bait! Career-enhancing informations not meant for you, just a click away, who cares about some stupid techie warnings!

    Obviously it's a little too juicy to be honest if you bother thinking about it (it only lacks a "only for the marketing director's eyes!" part), but then again marketing has never been too bright and greed can move mountains.

  6. Anonymous Coward
    Anonymous Coward

    Two words in the same sentence......again!!

    Quote: "...cybercriminals from targeting Microsoft..."

    ...and the words are "cybercriminals".....and you get to guess the other word!!

    ...clue......it begins with the letter "M".....

    ...and this has been going on since the Brain virus in 1986.....see link: https://en.wikipedia.org/wiki/Brain_(computer_virus)

    Yup........thirty six years......and still counting.......

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like