From querying a database server to storing a financial report remotely on a mounted net share drive to even including another external file for the inclusion of modules or methods. The reason why Microsoft took so long to deprecate these VBA APIs is that large enterprise-grade organizations do almost everything in Excel. I'd argue that "taking this seriously" is the opposite of the sheer amount of those CVE IDs.Īnd these are only the vulnerabilities we publicly know of, there are far worse VBA exploits being traded on dark markets. Sorry, CVE database disagrees with you when looking at the statistics of how often RCE macro loopholes are found in embedded VBA APIs inside spreadsheets.įrom those 439 around ~350 are _remote_ execution exploits with their own CVE ID, meaning another VBA API or programming paradigm was affected and downloaded and executed code remotely without the user noticing. Microsoft takes these kinds of vulnerabilities (.) seriously.
0 Comments
Leave a Reply. |