[Oct 31, 2018]
Cybersecurity researchers have revealed an unpatched logical flaw in Microsoft Office 2016 and older versions that could allow an attacker to embed malicious code inside a document file, tricking users into running malware onto their computers.
Discovered by researchers at Cymulate, the bug abuses the ‘Online Video’ option in Word documents, a feature that allows users to embedded an online video with a link to YouTube, as shown.
When a user adds an online video link to an MS Word document, the Online Video feature automatically generates an HTML embed script, which is executed when the thumbnail inside the document is clicked by the viewer.
Apparently, Microsoft has no plans to fix the issue and says its software is “properly interpreting HTML as designed.”
Cyber Security Tips:
- Administrators are recommended to block Word documents containing the embedded video tag: “embeddedHtml” in the Document.xml file.
- End users are advised not to open uninvited email attachments from unknown or suspicious sources.