Cybersecurity researchers have revealed an unpatched logical flaw in Microsoft Office 2016 and older versions that could allow an attacker to embed malicious code inside a document file, tricking users into running malware onto their computers.
Discovered by researchers at Cymulate, the bug abuses the ‘Online Video‘ option in Word documents, a feature that allows users to embedded an online video with a link to YouTube, as shown.
When a user adds an online video link to an MS Word document, the Online Video feature automatically generates an HTML embed script, which is executed when the thumbnail inside the document is clicked by the viewer.
Researchers decided to go public with their findings three months after Microsoft refused to acknowledge the reported issue as a security vulnerability.
How Does the New MS Word Attack Works?
Since the Word Doc files (.docx) are actually zip packages of its media and configuration files, it can easily be opened and edited.