Explore the latest news and trends  

Sign up for our weekly security newsletter

Be the first to receive important updates on security


Phishing now possible by exploiting online video function vulnerability in Word

Security researchers from Cymulate a cyber assault simulation firm based at Israel have detected vulnerability within the online video function of Microsoft Word. They claim that the vulnerability can be abused for removing genuine iframe code of YouTube and then installing rogue JavaScript/HTML code in its place.

The company reported about its findings on October 25, 2018 through one press release in which it also gave an elaborate technical report. The bug works via its revelation that happens when an end-user implants one video with the aid of Word's 'online video' function. The bug lingers within an .xml file within which one parameter named embeddedHtml is actually one YouTube iframe script. During hacks, this script can be substituted with rogue JavaScript/html obtainable via browsing in Internet Explorer.

The researchers demonstrated how an attacker could quite easily recreate a script/code belonging to YouTube videos that have been implanted within a Word file. That process is just editing or making changes to the file named 'document.xml' followed with planting the malevolent payload in place of the video option.

It is being apprehended that scammers are likely to exploit this methodology to unleash phishing attacks. That's because while the Word file would display the implanted film clipping having one web-link to YouTube, it would actually masquerade one concealed javascript/html code which would be invisibly active behind screen, the whole thing accompanied with the possibility of more code executions.

And though it is somewhat usual that Internet users on this day are wary about e-mail phishing and how they can avoid the threat, yet now there are attackers who can dupe them into viewing rogue Word documents having YouTube films. Incidentally, clicking on Word files having implanted film clippings doesn't generate any warning.

The vulnerability, according to Cymulate, impacts end-users working on Microsoft Office 2016 alternatively prior editions. As per SCMedia, Cymulate informed Microsoft about the vulnerability 3 months back. But, no CVE qualification has yet been attributed to the flaw.

Currently the sole way for neutralizing the bug is for not enabling any Word files having implanted videos, thus advise Cymulate's security researchers.

ยป SPAMfighter News - 11/9/2018

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page