The immediate reaction of a lot of cyber-security professionals to the news that Microsoft Excel would support Javascript was, “What could go wrong.” The clear implication being that a lot could go wrong, that this is creating a lot of risk and that this was an unnecessary step.
It is true, including Javascript support in Excel will increase the ways that bad actors have to compromise users’ computers. It is also true that many people’s devices will get breached. Just within a couple days of Microsoft’s announcement someone had created a proof-of-concept showing how to load bitcoin-mining software into Excel.
However, cyber-security specialists also run a risk of preventing progress in the name of security. Microsoft would not have gone to the effort or expense of building this functionality if it weren’t something users wanted.
At present, the way to write scripts for Excel sheets requires using Microsoft’s arcane, custom Visual Basic (VBA) language. Some people may specialize in it, but it would be a lot easier for many tech-savvy users and software professionals to use Javascript, which is vastly better known and practiced.
This move also makes Excel more compatible with Google Sheets, so that porting scripts between the two becomes easier. That has its own obvious benefits, such as making offline development easier, making libraries portable between Excel and other spreadsheet apps, and giving people freedom to choose their environment.
I was glad to see that at least one other person also saw this a welcome addition. I can see why other security professionals see the down-sides, but if anything this will also make their skills more useful, so they should cheer up.
The security issues will need to be addressed, people may need to be made more aware, better tools and safety-nets need to be added. The attitude that “Users don’t need this” or “Users don’t understand and will create problems” certainly doesn’t help progress. The Users want it, it’s the job of engineers to provide it, in a way that reduces additional risk.