A group of researchers has found a way to infect computers via Word documents without triggering a telltale security warning. The attack exploits a feature that allows authors to embed video directly in Word files.
Office programs have been subject to embedded malware before, but usually come with warnings. Word macros are a good example. An MS Office document with an embedded macro must ask the user’s permission before it executes, notifying users that macros can be dangerous.
Researchers at online breach and attack platform vendor Cymulate found the vulnerability inside Word’s online video feature, which allows users to embed a reference to a remote video (such as a YouTube video) directly into a document, so that it can be played when opened.
Attackers can pull off the exploit by manually altering the reference to a remote video inside a DOCX file so that it points to some malicious code instead of a video.
A document with a .docx extension is actually a compressed package containing several files and folders comprising the document’s content and metadata. Normally, users don’t see the bits and pieces inside the package because .docx files are opened, interpreted and presented by Word. Under the hood, .docx files are just ZIP archives though, which means they can actually be opened by any zip decompressor (including Windows, which will unzip a DOCX for you if you change the file extension from .docx to .zip and double click on it).
Unzipping a DOCX file exposes the structure of the archive, which contains several folders, including a
Word directory where most of the good stuff lies. Inside it is an XML file called
document.xml, which contains the code for any embedded videos in the form of HTML iframes.
An iframe tag inside a Word document creates an embedded Internet Explorer ‘window’ that displays content from another location, such as a video from YouTube, when the document is opened.
The researchers replaced the iframe content with their own proof of concept code that downloaded an executable from the internet. The demo video that they show exploiting the vulnerability asks the user if they want to run the downloaded executable before infecting the machine, but it doesn’t display a security message warning them that this might be a bad thing to do, in the same way that Word does when opening a macro.
The vulnerability reminds Naked Security of another attack, first identified in 2016, that also exploited references to things outside of an Office document, in that case via Office’s DDE (Dynamic Data Exchange) feature. That attack exploited an undocumented feature that allowed DDE references to start any application already installed on a computer, such as the command shell, and give it commands to execute.
Microsoft eventually responded to that issue by turning off DDE by default in Word. Its approach to the video exploit is more ambivalent. SCMedia reports a Microsoft executive saying that the product is “properly interpreting HTML as designed.”
As ever, users should be wary about opening unsolicited email attachments or downloads.