Phishing now possible by exploiting online video function vulnerability in Word

Security researchers from Cymulate a cyber assault simulation firm based at Israel have detected vulnerability within the online video function of Microsoft Word. They claim that the vulnerability can be abused for removing genuine iframe code of YouTube and then installing rogue JavaScript/HTML code in its place.

The company reported about its findings on October 25, 2018 through one press release in which it also gave an elaborate technical report. The bug works via its revelation that happens when an end-user implants one video with the aid of Word's 'online video' function. The bug lingers within an .xml file within which one parameter named embeddedHtml is actually one YouTube iframe script. During hacks, this script can be substituted with rogue JavaScript/html obtainable via browsing in Internet Explorer.

The researchers demonstrated how an attacker could quite easily recreate a script/code belonging to YouTube videos that have been implanted within a Word file. That process is just editing or making changes to the file named 'document.xml' followed with planting the malevolent payload in place of the video option.

It is being apprehended that scammers are likely to exploit this methodology to unleash phishing attacks. That's because while the Word file would display the implanted film clipping having one web-link to YouTube, it would actually masquerade one concealed javascript/html code which would be invisibly active behind screen, the whole thing accompanied with the possibility of more code executions.

And though it is somewhat usual that Internet users on this day are wary about e-mail phishing and how they can avoid the threat, yet now there are attackers who can dupe them into viewing rogue Word documents having YouTube films. Incidentally, clicking on Word files having implanted film clippings doesn't generate any warning.

The vulnerability, according to Cymulate, impacts end-users working on Microsoft Office 2016 alternatively prior editions. As per SCMedia, Cymulate informed Microsoft about the vulnerability 3 months back. But, no CVE qualification has yet been attributed to the flaw.

Currently the sole way for neutralizing the bug is for not enabling any Word files having implanted videos, thus advise Cymulate's security researchers.

» SPAMfighter News - 11/9/2018