This latest hack exploits a flaw in the software’s online video option, which allows users to embed a YouTube video via link inside the document. The problem is that when the link is pasted into a Word document, the software automatically generates an HTML embed script which is executed when the thumbnail image of the video is clicked on inside the document.
Word contains a file called “document.xml” which is a default file used by the program to generate the code to embed the video. It’s a trivial matter to edit this file, only requiring removing the originally inserted URL and replacing it with a malicious one that would get executed by the IE Download Manager.
Alternately, a hacker could simply create a legitimate-looking Word document, insert a poisoned link into it, then send it to a target. If the target clicked the link, whatever malicious code the hacker has staged at the other end would run.
The researchers reported the bug to Microsoft, but the company made no response and refused to acknowledge it as a security vulnerability. After 90 days, the team made their findings public in hopes of spurring the company into action.
This did prompt a response from the company, but their response was simply that they had no intention of addressing the issue as the software is properly interpreting HTML as designed.
That’s apparently the company’s final word on the matter, so if your business is in the habit of using word documents with embedded videos for any purpose, be mindful of this exploit. It could easily be used against you.