Video Embedding Feature In MS Word Has Security Vulnerability 

November 10, 2018

Written by wukovits

video embedding feature in ms word has security vulnerabilityResearchers have discovered a security flaw in MS Office 2016 and older versions that leave the door open to hackers who can take advantage of it to run malicious code on a target computer.

This latest hack exploits a flaw in the software’s online video option, which allows users to embed a YouTube video via link inside the document.  The problem is that when the link is pasted into a Word document, the software automatically generates an HTML embed script which is executed when the thumbnail image of the video is clicked on inside the document.

Word contains a file called “document.xml” which is a default file used by the program to generate the code to embed the video.  It’s a trivial matter to edit this file, only requiring removing the originally inserted URL and replacing it with a malicious one that would get executed by the IE Download Manager.

Alternately, a hacker could simply create a legitimate-looking Word document, insert a poisoned link into it, then send it to a target.  If the target clicked the link, whatever malicious code the hacker has staged at the other end would run.

The researchers reported the bug to Microsoft, but the company made no response and refused to acknowledge it as a security vulnerability.  After 90 days, the team made their findings public in hopes of spurring the company into action.

This did prompt a response from the company, but their response was simply that they had no intention of addressing the issue as the software is properly interpreting HTML as designed.

That’s apparently the company’s final word on the matter, so if your business is in the habit of using word documents with embedded videos for any purpose, be mindful of this exploit.  It could easily be used against you.

Used with permission from Article Aggregator

Bayou Tech

We provide solutions for your business. Find out how we can help.

Related Articles

Key Considerations for Effective Cybersecurity Implementation

Consider this: In the realm of cybersecurity, things often get tangled in the web of "you should do it anyway" arguments. Yet, for busy business owners bombarded with daily "must-dos," deciphering the essentials from the fluff can feel like a cyber maze. We aim to...