Online Video hack now ‘in the wild’ and Microsoft won’t do anything

Office for Mere Mortals helps people around the world get more from Word, Excel, PowerPoint and Outlook. Delivered once a week. free.


A previously theoretical way to misuse Office documents to infect your computer is now ‘in the wild’ and Microsoft isn’t interested in stopping it.

Last week we told you about a new way for Office documents to get malware onto your computer. Cymulate discovered that the Online Video feature could be manipulated to download malware onto a computer.

It’s a fairly simple method using the embeddedHtml tag in an Office document.  Online video details are saved in an Office document like this with the video link contained in an embeddedHTML tag.  Here’s an example using a legitimate YouTube link.

Now Trend Micro  has discovered infected documents being sent out with that trick used to infect computer. It’s not a theoretical bug anymore, it’s a real threat.

New Office documents

This hack is a concern because it uses modern Office ‘no macro’ documents  (.docx .xlsx .pptx ).

One advice against infection is avoiding the old Office documents ‘(.doc .xls .ppt) because they are commonly hacked to infect the unwary.

Infection via newer Office documents is rarer but still possible.  We all still need to be wary of incoming Office documents of any type.

Microsoft shrugs it’s shoulders

Microsoft public response to this problem is a corporate shrug of the shoulders.

According to SC Magazine a senior director at Microsoft says

“The product is properly interpreting html as designed — working in the same manner as similar products.”

It’s the sort of dismissive Microsoft response Office users got last century.  Back then Redmond dismissed concerns about infected Office documents saying they where merely ‘prank macros’.  This is 2018 and Microsoft has supposedly changed, but maybe not.

Microsoft needs to think again

We call ‘ BS ‘ on Microsoft’s excuse that Office is ‘ properly interpreting html ‘.  That’s just a lame excuse to deflect blame.  And it doesn’t make sense.

It’s within Microsoft’s ability to check the embeddedHtml tag to see if it’s normal content from known sources or something abnormal of the type used by criminal hackers.

At the very least, Windows Defender (the anti-virus part of Windows) should be capable of checking for infected documents of this type.

Side-note: where were the ‘security auditors’ that Microsoft hyped as a guard against dangerous code that could be hacked?

This security issue deserves more than just a Microsoft brush off.


Want More?

Office Watch has the latest news and tips about Microsoft Office.  Delivered once a week.