Researchers exploit Microsoft Word through embedded video | Cyber Security

0
Want create site? Find Free WordPress Themes and plugins.

 

A group of has found a way to infect computers via documents without triggering a telltale warning. The attack exploits a feature that allows authors to embed directly in files.

Office programs have been subject to malware before, but usually come with warnings. Word macros are a good example. An MS Office document with an macro must ask the user’s permission before it executes, notifying users that macros can be dangerous.

Researchers at online breach and attack platform vendor Cymulate found the vulnerability inside Word’s online video feature, which allows users to embed a reference to a remote video (such as a YouTube video) directly into a document, so that it can be played when opened.

Attackers can pull off the by manually altering the reference to a remote video inside a DOCX file so that it points to some malicious code instead of a video.

A document with a .docx extension is actually a compressed package containing several files and folders comprising the document’s content and metadata. Normally, users don’t see the bits and pieces inside the package because .docx files are opened, interpreted and presented by Word. Under the hood, .docx files are just ZIP archives though, which means they can actually be opened by any zip decompressor (including Windows, which will unzip a DOCX for you if you change the file extension from .docx to .zip and double click on it).

Unzipping a DOCX file exposes the structure of the archive, which contains several folders, including a Word directory where most of the good stuff lies. Inside it is an XML file called document.xml, which contains the code for any embedded videos in the form of HTML iframes.

An iframe tag inside a Word document creates an embedded Internet Explorer ‘window’ that displays content from another location, such as a video from YouTube, when the document is opened.


Did you find apk for android? You can find new Free Android Games and apps.

You might also like More from author

Leave A Reply

Your email address will not be published.