Security researcher from Cymulate discovered this critical bug on online video embedding feature of Microsoft Word that can be abuse to infect thousands of MS Office users.
Researcher have also published POC of this unpatched bug, and demonstrating via youtube link.
Who are Affected?
This bug leaves most of the users under risk, as it affected MS Office 2016 and earlier version.
Now the worst part is that, it will not produce any security warning while victims opening the document.This flaw allows an attacker execute the powerful malware or ransomware also they will use the evasion technique to avoid the security software detection.
Working of this Bug (POC)
Its quite simple to reproduce the bug, as attackers just need to embed youtube video on Word documents and then replace the embedded youtube code with malicious one within iframe tag.
- Create word document, and embed youtube or online video from insert menu.
- Save the Word document with the embedded online video.
- Unpack the word document using unpacker or change the extension as zip and unzip it where you can find the several files along with word folder.
- Inside the .xml file, look for embeddedHtml parameter (underWebVideoPr) which contains the Youtube iframe code.
- Save the changes in document.xml file, update the docx package with the modified xml.
Cymulate researcher created a PoC that contains the embedded executable (as a blob of a base64). Once run, this code will use the msSaveOrOpenBlob method to trigger the download of the executable by opening Internet Explorer Download Manager with the option to run or save the file.
Mitigating to Perform
As there no patch yet available for this flaws so it is recommended to block Word documents containing the tag: “embeddedHtml” in the Document.xml file of the word documents. Block word documents containing an embedded video.