A stealthy malware delivery tactic has been uncovered in the way videos are embedded into Microsoft Word Documents, according to researchers. It allows JavaScript code-execution when a user clicks on a weaponized YouTube video thumbnail within a Word document – with no alert message displayed by Microsoft Office requesting user consent.
Researchers at Cymulate built a proof-of-concept attack using a YouTube video link and a Word document (although it’s possible to embed other kinds of video into Word, the researchers didn’t test those vectors, nor did it try this with other Office applications).
Word’s video-embedding feature creates an HTML script behind the video image, which is executed by Internet Explorer when the thumbnail inside the document is clicked.
According to a Cymulate analysis posted on Thursday, the team found that it’s possible to edit that HTML code to point to malware instead of the real YouTube video.
“A file called ‘document.xml’ is a default XML file used by Word that you can extract and edit,” Avihai Ben-Yossef, CTO at Cymulate, explained to Threatpost. “The embedded video configuration will be available there, with a parameter called ’embeddedHtml’ and an iFrame for the YouTube video, which can be replaced with your own HTML.”
In the PoC, the replacement HTML contains a Base64-encoded malware binary that opens the download manager for Internet Explorer, which installs the malware. The video will seem to be legitimate to the user, but the malware will unpack silently in the background.
“Successful exploitation can allow any code execution – ransomware, a trojan,” Ben-Yossef said, adding that detection by antivirus would depend on the specific payload’s other evasion features. Obviously, the attack would work best with a zero-day payload.
The attack requires an adversary to convince someone to open a document and then click on an embedded video; phishing is the best attack vector. Ben-Yossef told Threatpost that by default, Word doesn’t ask permission before executing the embedded video code, so Microsoft Office won’t offer a security warning or dialog box when the target clicks on the video thumbnail.
“It does require phishing skills to make somebody click on [the] video,” Ben-Yossef said. “But keep in mind that the video image in the document will not show any trace of not being a legitimate YouTube video.”
The researcher said that the approach has the potential to impact all users with Office 2016 and older versions of the popular productivity suite. He added that he notified Microsoft, but that the company doesn’t acknowledge the technique as a vulnerability.
“We submitted this to Microsoft three months ago before we implemented it in our [war-gaming] platform,” he explained. “They didn’t acknowledge it as a flaw.” Via Twitter, the company added that Microsoft gave the company the go-ahead to publish their findings.
For Microsoft’s part, Threatpost reached out for comment and was informed that the HTML execution in the video-embedding feature is not flawed, in the software giant’s view. “The product is properly interpreting HTML as designed – working in the same manner as similar products,” Jeff Jones, senior director at Microsoft, told Threatpost.
Fortunately, “it opens a vector for attack that organizations can block on their security controls,” Ben-Yossef told us. Organizations can protect themselves by blocking Word documents containing embedded videos and by making sure antivirus is up-to-date in order to catch the payload.