Security researchers say that they have uncovered a new way to serve up malware to computer users, by exploiting the way in which videos are embedded inside Microsoft Office documents.
Researchers at Israeli security outfit Cymulate explain that the attack takes advantage of how online videos (like those on YouTube) can be embedded inside Microsoft Office documents.
In a proof-of-concept demonstration, the researchers first embedded an online video inside a Word document.
This is done by clicking Insert > Online Video inside Microsoft Word…
…and then providing a link to an online video (one hosted on YouTube in this example.)
The now tampered-with Word document can now be repackaged, and sent to its intended victim.
And, unlike a Microsoft Office document which contains an embedded macro (and asks the user for permission before it executes, warning of the potential dangers), a recipient of a Word document containing an embedded “video” will see no such warnings.
The researchers speculate that the attack could be used to phish credentials from unsuspecting users, or to install fake software updates.
However, don’t hold your breath waiting for Microsoft to release a patch to fix the problem.
The researchers contacted Microsoft three months ago with their findings, only to be told that the software giant would not recognise the issue as a vulnerability.
As Jeff Jones, a senior director at Microsoft, told Threatpost, Microsoft Office doesn’t believe it needs to make any changes to its software:
“The product is properly interpreting HTML as designed – working in the same manner as similar products.”
Now, you could ask why on earth Microsoft ever thought in the first place that allowing users to embed active content within a Word document was a good idea from the security point of view… but I fear that particular boat sailed some time ago.
In Microsoft’s opinion this is “someone else’s problem.” And as it’s unlikely anyone else is going to step forward to claim responsibility, that means it’s your problem.
It should be stressed that no evidence is being offered by Cymulate that the technique has been used by malicious hackers to compromise systems, and this is very much a proof-of-concept attack.
But now that it has been publicised, as has Microsoft’s shirking of responsibility and admission that it has no plans to mitigate the threat, any organisation which believes it may be under threat may be wise to consider blocking documents containing embedded videos, and ensuring that layered anti-malware defences are in place to intercept any potential payloads.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.