Unpatched MS Word Flaw Could Allow Hackers to Infect Your Computer

[Oct 31, 2018]

Cybersecurity researchers have revealed an unpatched logical flaw in Microsoft Office 2016 and older versions that could allow an attacker to embed malicious code inside a document file, tricking users into running malware onto their computers.

Discovered by researchers at Cymulate, the bug abuses the ‘Online Video’ option in Word documents, a feature that allows users to embedded an online video with a link to YouTube, as shown.

When a user adds an online video link to an MS Word document, the Online Video feature automatically generates an HTML embed script, which is executed when the thumbnail inside the document is clicked by the viewer.

Apparently, Microsoft has no plans to fix the issue and says its software is “properly interpreting HTML as designed.”

Cyber Security Tips:  

  • Administrators are recommended to block Word documents containing the embedded video tag: “embeddedHtml” in the Document.xml file.
  • End users are advised not to open uninvited email attachments from unknown or suspicious sources.

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: