Cyber-attackers could exploit security flaw found in the embedded video function of Microsoft Word

By Cameron Abbott and Colette Légeret

Cymulate, a leading provider of Breach and Attack Simulation solutions and a Gartner 2018 Cool Vendor, announced last week that its Security Research Team had uncovered a security flaw in the Microsoft Office Suite (Office) that may affect Microsoft Word (Word) users.

The Office security flaw identified is a JavaScript code execution within the embedded video component of Word. This has the potential to impact all users of Office 2016 and users of older Office versions. Cymulate noted that no configuration was required to reproduce the issue and no security warning is presented while opening the document with Word.

The security flaw is revealed when a user embeds a video via the ‘online video’ feature in Word. It resides in the .xml file, where a parameter called “embeddedHtml” refers to a YouTube iframe code. Cyber-attackers can replace the current YouTube iframe code to a malicious html /JavaScript that would be rendered by Internet Explorer.

This could be done by embedding a video inside a Word document, editing the XML file named document.xml, replacing the video link with a crafted payload that opens Internet Explorer Download Manager with the embedded malicious code execution file. Thereby allowing cyber-attackers to trick Word user into installing a fake software update to watch the embedded YouTube video.

Cymulate has notified Microsoft of this security flaw. It does beg the question what other flaws exist if one exists in a daily used programme, such as Office – it certainly makes you think twice about opening any embedded files in future!  It is worth noting that we often train our employees about opening strange attachments in emails – it may be time to expand this instruction.

Copyright © 2018, K&L Gates LLP. All Rights Reserved.