A feature that allows anyone to embed a video directly in a Word document can be used to trick targeted users into downloading and running malware.
Researchers have shown that producing a document that will deliver a malicious payload trough this method is easy.
First, a hacker must create a Word document, fill it with content and then use the Insert -> Online Video option, add a YouTube video to the document and save the file.
Then the saved file .docx extension must be changed to .zip and unzipped. These actions allow the hacker to access an XML file called document.xml in the Word folder.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
If the victim clicks on the malicious link will trigger the download of the embedded executable by opening Internet Explorer Download Manager. Unfortunately, many users don’t think twice about clicking through the prompts and OK-ing the action.
This security flaw impact all users with Office 2016 and older.
Microsoft has been already notified about it, but for now, they don’t plan to do anything about it because they haven’t seen any of the exploitations in the cyberspace. But if the feature starts getting widely abused they might end up doing something about it.
Users are advised not to open unsolicited email attachments from unknown or suspicious sources and enterprise administrators to block Word documents containing an embedded video.
Keep in mind that our modern society is dependent on computers, mobile devices, and the use of the internet always stay safe and secured.
We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.