Cybersecurity researchers accept revealed an unpatched logical flaw inwards Microsoft Office 2016 as well as older versions that could permit an assaulter to embed malicious code within a document file, tricking users into running malware onto their computers.
Discovered yesteryear researchers at Cymulate, the põrnikas abuses the 'Online Video' pick inwards Word documents, a characteristic that allows users to embedded an online video amongst a link to YouTube, equally shown.
When a user adds an online video link to an MS Word document, the Online Video characteristic automatically generates an HTML embed script, which is executed when the thumbnail within the document is clicked yesteryear the viewer.
Researchers decided to larn populace amongst their findings iii months subsequently Microsoft refused to admit the reported effect equally a safety vulnerability.
Since the Word Doc files (.docx) are truly null packages of its media as well as configuration files, it tin easily survive opened as well as edited.
According to the researchers, the configuration file called 'document.xml,' which is a default XML file used yesteryear Word as well as contains the generated embedded-video code, tin survive edited to supervene upon the electrical flow video iFrame code amongst whatever HTML or javascript code that would run inwards the background.
In unproblematic words, an assaulter tin exploit the põrnikas yesteryear replacing the actual YouTube video amongst a malicious 1 that would larn executed yesteryear the Internet Explorer Download Manager.
To seek out the extent of the vulnerability, Cymulate researchers created a proof-of-concept attack, demonstrating how a maliciously crafted document amongst an embed video, which if clicked, would prompt user to run an embedded executable (as a blob of a base64)–without downloading anything from the mesh or displaying whatever safety alarm when the victim clicks on the video thumbnail.
The hack requires an assaulter to convince victims into opening a document as well as and thence clicking on an embedded video link.
Cymulate researchers responsibly reported this bug, which impacts all users amongst MS Office 2016 as well as older versions of the productivity suite, iii months agone to Microsoft, merely the companionship refused to admit it equally a safety vulnerability.
Apparently, Microsoft has no plans to gear upwards the effect as well as says its software is "properly interpreting HTML equally designed."
Meanwhile, researchers recommended corporation administrators to block Word documents containing the embedded video tag: "embeddedHtml" inwards the Document.xml file, as well as destination users are advised non to opened upwards uninvited e-mail attachments from unknown or suspicious sources.
Discovered yesteryear researchers at Cymulate, the põrnikas abuses the 'Online Video' pick inwards Word documents, a characteristic that allows users to embedded an online video amongst a link to YouTube, equally shown.
When a user adds an online video link to an MS Word document, the Online Video characteristic automatically generates an HTML embed script, which is executed when the thumbnail within the document is clicked yesteryear the viewer.
Researchers decided to larn populace amongst their findings iii months subsequently Microsoft refused to admit the reported effect equally a safety vulnerability.
How Does the New MS Word Attack Works?
Since the Word Doc files (.docx) are truly null packages of its media as well as configuration files, it tin easily survive opened as well as edited.
According to the researchers, the configuration file called 'document.xml,' which is a default XML file used yesteryear Word as well as contains the generated embedded-video code, tin survive edited to supervene upon the electrical flow video iFrame code amongst whatever HTML or javascript code that would run inwards the background.
In unproblematic words, an assaulter tin exploit the põrnikas yesteryear replacing the actual YouTube video amongst a malicious 1 that would larn executed yesteryear the Internet Explorer Download Manager.
"Inside the .xml file, hold off for the embeddedHtml parameter (under WebVideoPr) which contains the Youtube iframe code," the researchers said. "Save the changes inwards the document.xml file, update the docx packet amongst the modified XML as well as opened upwards the document. No safety alarm is presented spell opening this document amongst Microsoft Word."
Video Demonstration: MS Word Online Video Flaw
To seek out the extent of the vulnerability, Cymulate researchers created a proof-of-concept attack, demonstrating how a maliciously crafted document amongst an embed video, which if clicked, would prompt user to run an embedded executable (as a blob of a base64)–without downloading anything from the mesh or displaying whatever safety alarm when the victim clicks on the video thumbnail.
The hack requires an assaulter to convince victims into opening a document as well as and thence clicking on an embedded video link.
Cymulate researchers responsibly reported this bug, which impacts all users amongst MS Office 2016 as well as older versions of the productivity suite, iii months agone to Microsoft, merely the companionship refused to admit it equally a safety vulnerability.
Apparently, Microsoft has no plans to gear upwards the effect as well as says its software is "properly interpreting HTML equally designed."
Meanwhile, researchers recommended corporation administrators to block Word documents containing the embedded video tag: "embeddedHtml" inwards the Document.xml file, as well as destination users are advised non to opened upwards uninvited e-mail attachments from unknown or suspicious sources.