Technology

Loopehole in Microsoft Excel’s power query feature threatens the security of 120 million users

A new vulnerability found in Microsoft Excel’s power query feature poses a big threat to its millions of users.

Researchers at security firm Mimecast Services Ltd. have developed a method to abuse the legitimate Microsoft Excel’s feature i.e. Power Query to install malicious code in users’ devices by interacting with them infrequently yet instantly.

For the uninitiated, Power Query is a data connection technology that Microsoft Excel users have been using for seven years now. The feature allows Excel files to discover, combine, connect, and handle data before importing it from remote sources, such as an external link app with its own cloud, a text document, another spreadsheet, or even a web page.

But, a major vulnerability found by the security researchers can allow hackers to use power query to launch a dynamic data exchange (DDE) attack in your very own Excel spreadsheet that you’re probably editing while resting at your home. Not only this, but the loophole can even allow hackers to launch a more critical attack that can involve different sorts of malware and can easily compromise the user’s machine as soon as they open the spreadsheet.

Recently, Microsoft has added this tool with recent versions of Excel and is available as a separate downloadable add-in for older Excel versions. Meanwhile, the researchers claim through this technique, malicious code could be used to drop and execute malware that can compromise the user’s machine. As the researcher states;

“The feature gives such rich controls that it can be used to fingerprint a sandbox or a victim’s machine even before delivering any payloads. The attacker has potential pre-payload and pre-exploitation controls and could deliver a malicious payload to the victim while also making the file appear harmless to a sandbox or other security solutions.”

So, it would be better if you don’t download an excel sheet that gives a tiny bit hint of malicious content. More info on how to disable DDE in Excel is available in Microsoft’s KB4053440 guidelines.

Sponsored
Sajeel Syed

I am a writer at TechJuice, overseeing IT, Telecom, Cryptocurrency, and other tech-related features here. When I'm not working, I spend some of my time with good old Xbox 360 and the rest in social activism. Follow me on Twitter: https://twitter.com/sajeelshamsi

Share
Published by
Sajeel Syed

Recent Posts

Meta to Build Undersea Cable Connecting Five Continents for AI and Data Expansion

Meta, the parent company of Facebook and Instagram, has announced plans to lay an undersea…

3 hours ago

Bluesky Rolls Out ‘Followers Only’ Replies and Post Search Feature in Latest Update

Social networking startup Bluesky, a growing competitor to X (formerly Twitter), has introduced a new…

5 hours ago

Senate Committee Reviews and Defers Decision on Pakistan Telecommunication Bill, 2025

Islamabad: The Senate Standing Committee on the Cabinet Secretariat took up the Government Bill titled…

5 hours ago

X Increases Premium+ Subscription Prices Following Release of Grok 3 by xAI

In a move following the launch of Grok 3 by Elon Musk’s AI company, xAI,…

6 hours ago

Kia to Unveil Three New Electric Vehicles at Kia EV Day on February 27, 2025

Kia Motors is set to electrify the automotive world with the unveiling of three new…

6 hours ago

SUPARCO Announces Pakistan’s Lunar Rover Naming Contest: Here’s How to Participate

The Pakistan Space and Upper Atmosphere Research Commission (SUPARCO) has revealed plans to launch the…

9 hours ago