Online Video now a risk for Office users

Cymulate is reporting how embedded video in Word or other Office documents are another way for criminals and hackers to infect your computer.

It’s yet another example of how Word, Excel or PowerPoint documents can be used to get malware onto computers to steal data, becomes bots or other nasties.

This trick uses the relatively new Office feature of linking video from online services like YouTube.

Linking an online video adds some code to the Office document (.docx. xlsx .pptx etc.) which includes a section ’embeddedhtml’.  That’s quite normal, YouTube uses Embedded HTML to setup the iFrame that a video plays in.

If you open up an Office document and look in the word/document.xml folder there’s the online video details with the embeddedhtml section.

Source: Cymulate

Hackers can manually edit that section of the document to add their own HTML or Javascript code.

Cymulate made an example which has code to download another program from the Internet.  The user only has to unwittingly open or run the download and they are infected.

There’s NO security warning from Office.  Apparently Microsoft hasn’t put any protections in place to guard against unusual uses of the embeddedhtml element.

There’s no risk from adding online video from YouTube or other known sources.

As usual, the problem is opening documents from unknown or unexpected sources.  Those documents could have one of the many (too many) Office document hacks available to criminals.

See the details on the Cymulate blog.