Security experts have discovered a new bug in Microsoft Word which allows Hackers to inject a malicious code inside a word document. The bug was discovered by researchers at Cymulate and it affects older versions of Microsoft Word including Word 2016.
The bug exploits the Online Video option in Word documents which allows users to embedded online videos in Word. Unfortunately, Microsoft refused to acknowledge the bug as a vulnerability hence the researchers decided to go public with their findings. The vulnerability can be exploited by first adding an online video to the Word document and then unpacking the document and replacing the embedded code with a malware.
Cymulate researchers even tested the exploit in-house and they were able to embed a video on a word document, which would then run malicious code when clicked upon.
Since Microsoft has refused to acknowledge this as a vulnerability, we don’t expect the company to roll out an update to patch the bug. This leaves a lot of users exposed to the attack and the best workaround to this issue is to block Word Documents with embedded videos. While this is a good workaround, it goes without saying that one shouldn’t open files from unknown senders especially the ones downloaded from file sharing services that don’t run proper virus scans.