This article is more than 1 year old

Word up: Embedded vids in Office docs can hide embedded nasties, infosec bods warn

XML twiddling can lead to lock-and-loading dodgy JavaScript, we're told

Updated Microsoft Word documents can potentially smuggle in malicious code using embedded web videos, it is claimed. Opening a booby-trapped file, and clicking on the vid, will trigger execution of the code.

Miscreants can leverage this weakness to potentially trick marks into installing malware on their PCs. It's useful for hackers preying on non-savvy phishing targets, and the like.

Seeing as there is no official patch for the alleged vulnerability, a workaround is to block files with embedded videos, or use other defenses to prevent dodgy documents from compromising systems and networks.

The alleged flaw was flagged up this week by infosec bods at Cymulate, who claimed a lack of safeguards in the way Redmond's Office 2016 and earlier handle video material opens a door for remote code execution attacks.

"Attackers could use this for malicious purposes such as phishing, as the document will show the embedded online video with a link to YouTube, while disguising a hidden html/javascript code that will be running in the background and could potentially lead to further code execution scenarios," Cymulate CTO Avihai Ben-Yossef claimed on Thursday.

"This attack is carried out by embedding a video inside a Word document, editing the XML file named document.xml, replacing the video link with a crafted payload created by the attacker which opens Internet Explorer Download Manager with the embedded code execution file."


So, it works like this: the attacker creates an otherwise normal Word file and, within the text, embeds an online video from YouTube or any other streaming site – the video itself doesn't matter, here. From there, the attacker unpacks the resulting Docx file, and edits the document.xml file within.

That XML file, the researchers explained, is where the real danger lies. A miscreant can modify the embeddedHTML parameter to redirect the iframe code of the video to any HTML or JavaScript of their choosing.

The .docx is packed up with the twiddled XML code, and sent to a victim, say, via email. When the file is opened in Word, and the mark tricked into clicking on the video iframe, the malicious XML is parsed, sans security warnings, and its malicious code is executed. This could be used to fool people into installing fake Adobe Flash updates that contain spyware.

Without a hint of irony, here's an embedded video from Cymulate showing a proof-of-concept attack:

Youtube video

Microsoft has yet to comment on the claims, nor had a chance to issue a patch or fix, we understand.

In the meantime, to mitigate against this, according to Cymulate, admins can block embedded video or block Word docs that contain an "embeddedHTML" tag. Also, don't open or trust Word documents from strangers, and don't run installers that pop up unexpectedly from Office files. ®

Updated to add

Seems Microsoft won't be addressing this because, as far as it is concerned, the software is working as expected. “The product is properly interpreting HTML as designed – working in the same manner as similar products,” said Jeff Jones, a senior director at Microsoft.

So, as we suggested, don't open files or links from suspicious or unknown sources, and don't click to allow stuff to install if anything weird pops up. Meanwhile, apply defense-in-depth mechanisms, and stop compromises from spreading from a single user to the whole network.

More about


Send us news

Other stories you might like