June 18, 2019

June 17, 2019

Subscribe to Latest Legal News and Analysis

Cyber-Attackers Could Exploit Security Flaw Found in the Embedded Video Function of Microsoft Word

Cymulate, a leading provider of Breach and Attack Simulation solutions and a Gartner 2018 Cool Vendor, announced last week that its Security Research Team had uncovered a security flaw in the Microsoft Office Suite (Office) that may affect Microsoft Word (Word) users.

The Office security flaw identified is a JavaScript code execution within the embedded video component of Word. This has the potential to impact all users of Office 2016 and users of older Office versions. Cymulate noted that no configuration was required to reproduce the issue and no security warning is presented while opening the document with Word.

The security flaw is revealed when a user embeds a video via the ‘online video’ feature in Word. It resides in the .xml file, where a parameter called “embeddedHtml” refers to a YouTube iframe code. Cyber-attackers can replace the current YouTube iframe code to a malicious html /JavaScript that would be rendered by Internet Explorer.

This could be done by embedding a video inside a Word document, editing the XML file named document.xml, replacing the video link with a crafted payload that opens Internet Explorer Download Manager with the embedded malicious code execution file. Thereby allowing cyber-attackers to trick Word user into installing a fake software update to watch the embedded YouTube video.

Cymulate has notified Microsoft of this security flaw. It does beg the question what other flaws exist if one exists in a daily used programme, such as Office – it certainly makes you think twice about opening any embedded files in future!  It is worth noting that we often train our employees about opening strange attachments in emails – it may be time to expand this instruction.

Colette Légeret contributed to this piece.

Copyright 2019 K & L Gates


About this Author

Cameron Abbott, Technology, Attorney, Australia, corporate, KL Gates Law Firm

Mr. Abbott is a corporate lawyer who focuses on technology, telecommunications and broadcasting transactions. He assists corporations and vendors in managing their technology requirements and contracts, particularly large outsourcing and technology procurements issues including licensing terms for SAP and Oracle and major system integration transactions.

Mr. Abbott partners with his clients to ensure market leading solutions are implemented in to their businesses. He concentrates on managing and negotiating complex technology solutions, which...