A feature that allows anyone to embed a video directly in a Word document can be easily misused to trick target users into downloading and running malware, Cymulate researchers have demonstrated.
Producing a document that will deliver the malicious payload is easy.
An attacker must first create a Word document, fill it with whatever content they deem appropriate, then use the Insert -> Online Video option, add a YouTube video to the document and save the file.
The saved file should then be unpacked with an unpacker or by changing the .docx extension to .zip and unzipping it. These actions allow the attacker to access an XML file called document.xml in the Word folder, to open it and edit it.
The click will trigger the download of the embedded executable by opening Internet Explorer Download Manager. The target will be asked whether they want to run or save the file but won’t be warned about possible dangers of doing so. And, unfortunately, many users don’t think twice about clicking through the prompts and OK-ing the action if their interest is piqued.
The researchers consider this to be a bug and a security flaw and say that it has the potential to impact all users with Office 2016 and older versions of the productivity suite.
Microsoft has been notified of it, but for now they don’t plan to do anything about it as the software is “properly interpreting HTML as designed.”
But if the feature starts getting widely abused they might end up doing something about it.
A similar situation happened last year when, after a considerable increase of malware campaigns abusing the Dynamic Data Exchange (DDE) feature in Word, Microsoft initially said that it was a feature, not a bug, and just offered attack mitigation advice, but ultimately ended up disabling DDE by default to stem the malicious tide.
In the meantime, though, users are advised not to open unsolicited email attachments from unknown or suspicious sources and enterprise administrators to block Word documents containing an embedded video.