Date:29/10/18
Researchers at Israel-based cyberattack simulation company Cymulate are claiming to have found a vulnerability in Microsoft Word’s online video feature that can allow malicious actors to replace legitimate YouTube iframe code with malicious HTML/JavaScript code.
In a company press release, Cymulate warns that the unpatched zero-day flaw requires no special configuration to reproduce and potentially affects all users of Office 2016 and older versions of the software suite.
Cymulate told SC Media that it disclosed the bug to Microsoft three months ago, noting however that the flaw did not qualify for an official CVE identifier.
“Attackers could use this for malicious purposes such as phishing, as the document will show the embedded online video with a link to YouTube, while disguising a hidden html/javascript code that will be running in the background and could potentially lead to further code execution scenarios,” explains Cymulate co-founder and CTO Avihai Ben-Yossef in a blog post.
According to Ben-Yossef, attackers can exploit the flaw by first embedding a video inside a Word document, then unpacking the doc in order to single out the file “document.xml.” Next, the factors can replace that XML file’s iframe code with a crafted payload. “Once run, this code will use the msSaveOrOpenBlob method to trigger the download of the executable by opening Internet Explorer Download Manager with the option to run or save the file,” the blog post states.
Using this exploit method, attacker could potentially trick users into installing a fake software update, Cymulate continues, noting that potential victims would receive no security warning when opening the sabotaged document.
In response to Cymulate’s claims, Jeff Jones, senior director at Microsoft told SC Media, “The product is properly interpreting html as designed — working in the same manner as similar products.”
Researchers report vulnerability in Microsoft Word’s online video feature
Researchers at Israel-based cyberattack simulation company Cymulate are claiming to have found a vulnerability in Microsoft Word’s online video feature that can allow malicious actors to replace legitimate YouTube iframe code with malicious HTML/JavaScript code.In a company press release, Cymulate warns that the unpatched zero-day flaw requires no special configuration to reproduce and potentially affects all users of Office 2016 and older versions of the software suite.
Cymulate told SC Media that it disclosed the bug to Microsoft three months ago, noting however that the flaw did not qualify for an official CVE identifier.
“Attackers could use this for malicious purposes such as phishing, as the document will show the embedded online video with a link to YouTube, while disguising a hidden html/javascript code that will be running in the background and could potentially lead to further code execution scenarios,” explains Cymulate co-founder and CTO Avihai Ben-Yossef in a blog post.
According to Ben-Yossef, attackers can exploit the flaw by first embedding a video inside a Word document, then unpacking the doc in order to single out the file “document.xml.” Next, the factors can replace that XML file’s iframe code with a crafted payload. “Once run, this code will use the msSaveOrOpenBlob method to trigger the download of the executable by opening Internet Explorer Download Manager with the option to run or save the file,” the blog post states.
Using this exploit method, attacker could potentially trick users into installing a fake software update, Cymulate continues, noting that potential victims would receive no security warning when opening the sabotaged document.
In response to Cymulate’s claims, Jeff Jones, senior director at Microsoft told SC Media, “The product is properly interpreting html as designed — working in the same manner as similar products.”
Views: 427
©ictnews.az. All rights reserved.
Similar news
- Cellphone Use May Raise Cancer Risk
- Australian police pushes cyber safety education
- Vietnam aims to lead in e-government
- Senate Website Gets Hacked
- US builds net for cyber war games
- Japan enacts anti-computer virus law
- India passes law vs e-waste
- Anonymous Declares War On The City Of Orlando
- Microsoft highlights evolving dangers as online identity data proliferates
- Consumers want internet security to be provided by banks
- Government facilities targets of cyber attack
- South Korean web attacks might been war drill
- Sri Lanka to Establish National Passport Database to Increase Border Security
- Hi-tech crime agencies set to employ information security professionals
- Phone hacking and online campaign bring down the News of the World
