31 octoBER 2018

researchers report vulnerability in microsoft word online video feature

Researchers at Automated Breach and Attack Simulation solution provider Cymulate have reportedly found a vulnerability in Microsoft Word’s online video feature that allows threat actors to replace legitimate YouTube iframe code with malicious HTML/JavaScript code.

How Can the Online Video Feature Be Abused?

Researchers at Cymulate have discovered a way to abuse the ‘Online Video’ feature on Microsoft Word to execute malicious code. The feature allows legitimate users to embedded an online video with a link to YouTube in a Microsoft Word document by automatically generating an HTML embed script, which is executed when the thumbnail inside the document is clicked by the viewer.

However, researchers at Cymulate have discovered a way to abuse the feature by editing the.xml file to replace the current video iFrame code with any HTML or javascript code that would run in the background. In simple words, an attacker can exploit the bug by replacing the actual YouTube video with a malicious one that would get executed without downloading anything from the internet or displaying any security warning when the victim clicks on the video thumbnail.

To prove the extent of the vulnerability, Cymulate researchers created a proof-of-concept attack.




Screenshot of .xml File Code

Cymulate Blog

Who is Effected by This Vulnerability?

This flaw has the potential to impact all users with Office 2016 and older versions of the popular Productivity Suite. Cymulate further warns that no special configuration is required to reproduce the issue; the hack simply requires an attacker to convince victims into opening a document and then clicking on the embedded video link.

Researchers decided to go public with their findings three months after Microsoft refused to acknowledge the reported issue as a security vulnerability. Apparently, Microsoft has no plans to fix the issue and says its software is “properly interpreting HTML as designed.”

Our Recommendations

Enterprise administrators should block Word documents containing the embedded video tag: “embeddedHtml” in the Document.xml file and end users are advised not to open uninvited email attachments from unknown or suspicious sources.