A group of researchers has found a way to infect computers via Word documents without triggering a telltale security warning. The attack exploits a feature that allows authors to embed video directly in Word files.
Office programs have been subject to embedded malware before, but usually come with warnings. Word macros are a good example. An MS Office document with an embedded macro must ask the user’s permission before it executes, notifying users that macros can be dangerous.
Researchers at online breach and attack platform vendor Cymulate found the vulnerability inside Word’s online video feature, which allows users to embed a reference to a remote video (such as a YouTube video) directly into a document, so that it can be played when opened.
Attackers can pull off the exploit by manually altering the reference to a remote video inside a DOCX file so that it points to some malicious code instead of a video.
A document with a .docx extension is actually a compressed package containing several files and folders comprising the document’s content and metadata. Normally, users don’t see the bits and pieces inside the package because .docx files are opened, interpreted and presented by Word. Under the hood, .docx files are just ZIP archives though, which means they can actually be opened by any zip decompressor (including Windows, which will unzip a DOCX for you if you change the file extension from .docx to .zip and double click on it).
Unzipping a DOCX file exposes the structure of the archive, which contains several folders, including a
Word directory where most of the good stuff lies. Inside it is an XML file called
document.xml, which contains the code for any embedded videos in the form of HTML iframes.
An iframe tag inside a Word document creates an embedded Internet Explorer ‘window’ that displays content from another location, such as a video from YouTube, when the document is opened.