Unpatched MS Word Flaw Could Allow Hackers to Infect Your Computer

Cybersecurity researchers have revealed an unpatched logical flaw in Microsoft Office 2016 and older versions that could allow an attacker to embed malicious code inside a document file, tricking users into running malware onto their computers.

Discovered by researchers at Cymulate, the bug abuses the ‘Online Video’ option in Word documents, a feature that allows users to embedded an online video with a link to YouTube.

When a user adds an online video link to an MS Word document, the Online Video feature automatically generates an HTML embed script, which is executed when the thumbnail inside the document is clicked by the viewer.

Researchers decided to go public with their findings three months after Microsoft refused to acknowledge the reported issue as a security vulnerability.

How Does the New MS Word Attack Works?

Since the Word Doc files (.docx) are actually zip packages of its media and configuration files, it can easily be opened and edited.

According to the researchers, the configuration file called ‘document.xml,’ which is a default XML file used by Word and contains the generated embedded-video code, can be edited to replace the current video iFrame code with any HTML or javascript code that would run in the background.

In simple words, an attacker can exploit the bug by replacing the actual YouTube video with a malicious one that would get executed by the Internet Explorer Download Manager
https://thehackernews.com/2018/10/microsoft-office-online-video.html

SHARE THIS POST