I mean… Yeah, but the same can be said for VB?
Integrated python scripts in excel sounds like a malware developers dream.
rollerbang@lemmy.world 21 hours ago
dual_sport_dork@lemmy.world 17 hours ago
Especially since VBA can make calls to the Windows API directly and through that avenue do all kinds of funky things to your system.
CameronDev@programming.dev 14 hours ago
Yeah, but lots more tooling and libraries for Python. Its just one more attack surface 🤷
turkalino@lemmy.yachts 1 day ago
Surely there’s some sort of sandboxing that could be done? Like just disallow sys calls entirely
CameronDev@programming.dev 1 day ago
Definitely, but sandboxes can be escaped, and you can’t protect everything via sandbox. Apparently its all cloud anyway, but if it were local and sandboxed, there are still exploits like rowhammer and spectre that may cause further risks.
Its taken years to get browser sandboxes to where they are, and even they get broken every so often.
elvith@feddit.org 1 day ago
They foresaw that. That’s because python on Excel doesn’t run locally, but in the cloud and then returns the result to you: …microsoft.com/…/introduction-to-python-in-excel-…
CameronDev@programming.dev 1 day ago
Still sounds like you’d be shipping your data to the cloud, where it can be exfilled from there.
Would potentially be a great phishing tool, just need to trick someone into putting sensitive data into a precooked excel file, and it gets exfilled.
elvith@feddit.org 1 day ago
Currently only for business customers which probably use OneDrive or SharePoint anyways, so it’s not that they need that to exfiltrate data. But for a phishing/hacking attempt? There are probably some nice possibilities.
magikmw@piefed.social 20 hours ago
That's even worse!
echodot@feddit.uk 19 hours ago
That’s the worst possible solution to that problem. Why can’t they just develop their own script that’s Turing complete but doesn’t have any system calls?
chillhelm@lemmy.world 18 hours ago
Or just use Lua compiled without the system calls. This is done by many video games. İt’s 2025, there is no need to create new domain specific languages.
tux0r@feddit.org 15 hours ago
Or use embedded Lisp, like all the cool kids.
jubilationtcornpone@sh.itjust.works 1 day ago
Fair point. If course that’s already a problem with Excel. It would probably have to be disabled by default just like VBA macros.
Godort@lemmy.ca 1 day ago
Yeah, no doubt.
Having access to visual basic is dangerous enough, let alone Python
Semi_Hemi_Demigod@lemmy.world 1 day ago
And a nightmare for an application developer told to make some app with a spreadsheet for a database scale
CameronDev@programming.dev 1 day ago
Could result in some very cursed codebases.
“We dont use git, we just update the excel spreadsheet”
Gork@sopuli.xyz 1 day ago
I’ve worked at places where they did that anyway lol
frongt@lemmy.zip 1 day ago
That’s just called Access
Zwuzelmaus@feddit.org 1 day ago
Is that creepy thing still alive?
ChickenLadyLovesLife@lemmy.world 9 hours ago
It can’t be … but I wouldn’t be surprised if it was. I remember making fun of Access on StackOverflow circa 2008 and running afoul of some dude there who was like the last living Access consultant on Earth. I’ve never encountered defensive rage like that before or since.
Fun Access fact, the Diebold-manufactured voting machines that featured prominently in the 2000 presidential election cycle used an Access database as their underlying data storage mechanism. Access DBs did incorporate an audit table - which was manually-editable.