Making Excel Less Of An XXL Risk By Blocking Free Roaming XLL Files

First They Came For Your VBA Files, Then Your XLSM …

If you aren’t familiar with them Microsoft Excel XLL files are DLLs which contain executable files and are treated by Excel as add-ins.  These can be incredibly handy for frequent users of Excel but they can cause nightmares if they are installed from questionable sources; random internet sites not an official corporate network.   

This is just the latest in Microsoft’s campaign to reduce the attack surface of Excel.  As mentioned in the title, first VBA macros were prevented from running if they were not from an approved source.  Then next came XLSM, the Excel workbooks which contained the macros themselves being blocked by default to prevent users from downloading them from unscrupulous people who embed nasty macros containing malware in them.

Finally Microsoft have done the same with XLL files, blocking them by default for it is not that hard to hide a malware executable in the those files, along with useful functions.  They will still run if coming from a trusted network location, but not from emails nor from a random downloaded file.

As Bleeping Computer was told, attacks using XLL files increased “near-sixfold” in the past couple of years and it is not easy to find malware embedded in them with standard AV programs.