MS Office security flaw

In Microsoft Office 2016 and older versions have a software flaw that leaves the door open to hackers who can take advantage of it to run malicious code on a target computer.

This latest hack exploits a flaw in the software's online video option, which allows users to embed a YouTube video via link inside the document.  The problem is that when the link is pasted into a Word document, the software automatically generates an HTML embed script which is executed when the thumbnail image of the video is clicked on inside the document.

XML document easy to modify

Word contains a file called "document.xml" which is a default file used by the program to generate the code to embed the video.  It's a trivial matter to edit this file, only requiring removing the originally inserted URL and replacing it with a malicious one that would get executed by the IE Download Manager.

Alternately, a hacker could simply create a legitimate-looking Word document, insert a poisoned link into it, then send it to a target.  If the target clicked the link, whatever malicious code the hacker has staged at the other end would run.

The researchers reported the bug to Microsoft, but the company made no response and refused to acknowledge it as a security vulnerability.  After 90 days, the team made their findings public in hopes of spurring the company into action.

This did prompt a response from the company, but their response was simply that they had no intention of addressing the issue as the software is properly interpreting HTML as designed.

Our perspective

That's apparently the company's final word on the matter, so if your business is in the habit of using word documents with embedded videos for any purpose, be mindful of this exploit.  It could easily be used against you.

The author

Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPia Blogs. I am also available at dwpia on LinkedIn, at dwpia on Facebook, and @dwpia on Twitter.

Cybersecurity Expert, Small Business Technology Consultant, Managed Services Provider, Managed IT Support

Denis S Wilson

I am President and Principal Consultant for DWP Information Architects: specializing in managed IT support for smaller healthcare practices, clinics, insurance companies, law firms, and construction companies in Ventura County and San Fernando Valley. And have created cost-effective IT solutions, for over 20 years, specializing in cybersecurity and regulatory compliance.

I am also a published author and speaker, working extensively with organizations that include: the State of California, the Federal Bureau of Investigation (FBI), the Small Business Administration (SBA), SCORE, Women's Business Centers, and Small Business Development Centers. As well as providing small business technology education programs through business and professional associations.

Contact me if you would like me to speak at your meeting.

Meanwhile, check out this report

Executive Report: 10 Hidden IT Risks That Might Threaten Your Business