Threat Watch

Microsoft Word Flaw

Researchers have discovered an unpatched flaw in Microsoft Office 2016 and older versions that could allow an attacker to embed malicious code in a document file, tricking the victim into running malware on their machine. The flaw abuses the “Online video” function in Word documents, which allows users to insert an online video with a link to YouTube. When users add online video links to a Word document, the online video feature will automatically generate an HTML embed script. The script is executed when the thumbnail in the document is clicked by the user. Because the Word doc files are zip packages of its configuration and media files, they can be easily opened and edited. Researchers claim, “The configuration file called ‘document.xml,’ which is a default XML file used by Word and contains the generated embedded-video code, can be edited to replace the current video iFrame code with any HTML or JavaScript code that would run in the background.” The flaw was made public three months after Microsoft “refused” to recognize it. 

ANALYST NOTES

Users should always be cautious when receiving Word documents from an unknown source. Documents should not be opened unless received from a trusted source. Even if the source is trusted, there is a chance that it contains a malicious link in the place of a YouTube video. If there is a YouTube video that needs to be shared, the receiver should always request the video ID and go to that video through the YouTube website, rather than click a link in the Word document for the video. Companies can also block Word documents from being sent that include the “embeddedHTML” tag within the document.xml file, but this may cause issues for the company. Though requesting the video ID and going to YouTube separately may take more time, it will stop users from clicking any malicious links inside the document and prevent the user from getting infected.