this post was submitted on 21 Aug 2025
484 points (98.4% liked)
Technology
74265 readers
4331 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Integrated python scripts in excel sounds like a malware developers dream.
I mean... Yeah, but the same can be said for VB?
Yeah, but lots more tooling and libraries for Python. Its just one more attack surface 🤷
Especially since VBA can make calls to the Windows API directly and through that avenue do all kinds of funky things to your system.
Surely there’s some sort of sandboxing that could be done? Like start by disallowing sys calls entirely
Definitely, but sandboxes can be escaped, and you can't protect everything via sandbox. Apparently its all cloud anyway, but if it were local and sandboxed, there are still exploits like rowhammer and spectre that may cause further risks.
Its taken years to get browser sandboxes to where they are, and even they get broken every so often.
And a nightmare for an application developer told to make some app with a spreadsheet for a database scale
Could result in some very cursed codebases.
"We dont use git, we just update the excel spreadsheet"
I've worked at places where they did that anyway lol
That's just called Access
Is that creepy thing still alive?
They foresaw that. That's because python on Excel doesn't run locally, but in the cloud and then returns the result to you: https://support.microsoft.com/en-us/office/introduction-to-python-in-excel-55643c2e-ff56-4168-b1ce-9428c8308545
That's the worst possible solution to that problem. Why can't they just develop their own script that's Turing complete but doesn't have any system calls?
Or just use Lua compiled without the system calls. This is done by many video games. İt's 2025, there is no need to create new domain specific languages.
Or use embedded Lisp, like all the cool kids.
That's even worse!
Still sounds like you'd be shipping your data to the cloud, where it can be exfilled from there.
Would potentially be a great phishing tool, just need to trick someone into putting sensitive data into a precooked excel file, and it gets exfilled.
Currently only for business customers which probably use OneDrive or SharePoint anyways, so it's not that they need that to exfiltrate data. But for a phishing/hacking attempt? There are probably some nice possibilities.
Fair point. Of course that's already a problem with Excel. It would probably have to be disabled by default just like VBA macros.
Yeah, no doubt.
Having access to visual basic is dangerous enough, let alone Python