In Microsoft Excel, a loophole has been identified which is found in Power Query that has put 120 Million users at a security risk. Researchers of a company named Mimecast Services Ltd has created a method in order to abuse the Microsoft Excel feature; Power Query. They used this power query to install malicious code in the devices of users by making interaction with them instantly.
Power Query is basically a data connection technology tool which is used by Excel files in order to discover, combine, connect, and handle the data before importing them from the remote sources. These remote sources include the external app link, a text document, its own cloud, web page and spreadsheet. Microsoft Excel users have been using power query for seven years now.
Loophole of Microsoft Excel:
These security researchers have created a vulnerability in the Microsoft Excel through which hackers can be allowed to launch a dynamic data exchange (DDE) attack in excel spreadsheet of anyone. Even if you are editing your work while staying at home, your Excel work is at risk. This loophole has put the data of million users at acute risk of being manipulated.
Microsoft has added an additional tool along with the Excel recent version as a separate downloadable add-in for older Excel versions. Researcher claim that this malicious code can drop, execute and compromise the user’s machine through this technique.
It is said that this feature provides a rich control over the machine of users and it can even be used to fingerprint a sandbox or the users’ machine as well before delivery of any payloads. Moreover, the attackers have the control of pre-payload and pre-exploitation too. Hackers may attack the whole system by sending a malicious payload which could make your file look harmless to the security solutions and sandbox.
It is better not to download to excel sheet if it even gives u a hint of being malicious to your machine. However, it is better to disable the DDE in Excel.