Researchers have discovered another way through which bad actors may phish! The method employs exploiting a vulnerability in the Microsoft Word Online Video feature. Through this bug, an attacker can replace the iFrame code of the video with a malicious code to conduct a phishing attack.
Bug Discovered In Microsoft Word Online Video Feature
Researchers from the cyber attack simulation firm Cymulate have discovered a bug in the Microsoft Word online video feature. According to their findings, an attacker can exploit the vulnerability to manipulate the embedded video’s iFrame code.
The firm disclosed its findings in a press release on Thursday along with a detailed technical report. Explaining how this bug works, they stated,
“This logical bug is revealed when a user embeds a video via the ‘online video’ feature. It resides in the .xml file, where a parameter called embeddedHtml refers to a YouTube iframe code. Hackers can replace the current YouTube iframe code with malicious html /JavaScript that would be rendered by Internet Explorer.”
They have also shared a video showing the exploit.
Exploiting This Bug May Trigger Phishing Attacks
As demonstrated by the researchers, it is very easy for an attacker to modify the code of any YouTube video embedded in a Word document. They simply have to edit the “document.xml” file and replace the video link with the malicious payload. The researchers fear that attackers may exploit this technique for phishing attacks. While most internet users today all know to ignore email phishing. However, now, attackers may trick them to open malicious Word files with YouTube videos.
“Attackers could use this for malicious purposes such as phishing, as the document will show the embedded online video with a link to YouTube, while disguising a hidden html/javascript code that will be running in the background and could potentially lead to further code execution scenarios.”
Through this trick, the target users may not suspect anything malicious since opening the document with the embedded video does not generate a warning.
The bug allegedly affects Microsoft Office 2016 and all earlier versions with this feature.
No CVE Assigned…?
According to SCMedia, Cymulate reported the vulnerability to Microsoft three months ago. However, the flaw has not qualified for a CVE yet. Moreover, Microsoft’s Senior Director Jeff Jones also said that the “product is properly interpreting HTML”.
“The product is properly interpreting HTML as designed — working in the same manner as similar products.”
At present, the only method to mitigate this bug, as recommended by the researchers, is to block any Word documents with embedded videos.