Video Embedding Feature In MS Word Has Security Vulnerability 

November 10, 2018

Written by wukovits

Researchers have discovered a security flaw in MS Office 2016 and older versions that leave the door open to hackers who can take advantage of it to run malicious code on a target computer.

This latest hack exploits a flaw in the software’s online video option, which allows users to embed a YouTube video via link inside the document.  The problem is that when the link is pasted into a Word document, the software automatically generates an HTML embed script which is executed when the thumbnail image of the video is clicked on inside the document.

Word contains a file called “document.xml” which is a default file used by the program to generate the code to embed the video.  It’s a trivial matter to edit this file, only requiring removing the originally inserted URL and replacing it with a malicious one that would get executed by the IE Download Manager.

Alternately, a hacker could simply create a legitimate-looking Word document, insert a poisoned link into it, then send it to a target.  If the target clicked the link, whatever malicious code the hacker has staged at the other end would run.

The researchers reported the bug to Microsoft, but the company made no response and refused to acknowledge it as a security vulnerability.  After 90 days, the team made their findings public in hopes of spurring the company into action.

This did prompt a response from the company, but their response was simply that they had no intention of addressing the issue as the software is properly interpreting HTML as designed.

That’s apparently the company’s final word on the matter, so if your business is in the habit of using word documents with embedded videos for any purpose, be mindful of this exploit.  It could easily be used against you.

Used with permission from Article Aggregator

Bayou Tech

We provide solutions for your business. Find out how we can help.

Related Articles

Some Amazon Device Features May Have Security Risks

Have you heard of Amazon Sidewalk? If not, it's definitely something you should be aware of. Depending on your point of view, the new feature, which was enabled by default on a wide range of Amazon devices by default on June 8 of this year (2021) is either...

Email Unsubscribe Scam Can Easily Fool Any User

Scammers are increasingly relying on a tried and true bit of social engineering to fool unsuspecting users into unwittingly signing up to receive a flood of additional spam email. They accomplish this by blasting out an email asking recipients if they wish to...

Update VMWare Software Immediately To Avoid Possible Attack

The US Cybersecurity and Infrastructure Security Agency recently issued a warning to all companies running VMware Vcenter Server and VMware Cloud Foundation. They are asking them to download and apply the latest security patches as soon as possible because attackers...

Send us a message

Your message was sent.