Skip to main content

Video Embedding Feature In MS Word Has Security Vulnerability 

By November 10, 2018June 2nd, 2022Cybersecurity

Researchers have discovered a security flaw in MS Office 2016 and older versions that leave the door open to hackers who can take advantage of it to run malicious code on a target computer.

This latest hack exploits a flaw in the software’s online video option, which allows users to embed a YouTube video via link inside the document.  The problem is that when the link is pasted into a Word document, the software automatically generates an HTML embed script which is executed when the thumbnail image of the video is clicked on inside the document.

Word contains a file called “document.xml” which is a default file used by the program to generate the code to embed the video.  It’s a trivial matter to edit this file, only requiring removing the originally inserted URL and replacing it with a malicious one that would get executed by the IE Download Manager.

Alternately, a hacker could simply create a legitimate-looking Word document, insert a poisoned link into it, then send it to a target.  If the target clicked the link, whatever malicious code the hacker has staged at the other end would run.

The researchers reported the bug to Microsoft, but the company made no response and refused to acknowledge it as a security vulnerability.  After 90 days, the team made their findings public in hopes of spurring the company into action.

This did prompt a response from the company, but their response was simply that they had no intention of addressing the issue as the software is properly interpreting HTML as designed.

That’s apparently the company’s final word on the matter, so if your business is in the habit of using word documents with embedded videos for any purpose, be mindful of this exploit.  It could easily be used against you.

Jason Manteiga

Jason J. Manteiga, Vice President of Olmec Systems, has been part of the company for over the past 20 years. He believes that having a great work environment and supportive team, is the ultimate key to success. Since being in the IT realm for over 25 years, Jason, along with Olmec Systems, has been on the Inc. 5000 “List of America’s Fastest Growing Private Companies” and Channel Futures MSP 501 “Top Managed Service Providers in North America,” along with other awards and nominations. Jason earned his Bachelor Degree in Information Systems from the New Jersey Institute of Technology. He also holds certifications in Microsoft MCSE, VMWare VCP, and Cisco CCNA. In his spare time, Jason is a contributor for The Center for Social & Legal Research (Privacy Exchange) and a member of the Morris County Chamber of Commerce. His hobbies include cycling and kayaking. He currently lives in New Jersey with his wife, two daughters and son.