Risk: Embedded videos in Word documents?

[German]Security experts warn of risks in Word documents. Embedded videos can be misused for attacks. The XML format of  .docx files can be misused to download dubious JavaScript code.


Microsoft Word .docx documents can potentially contain malicious code through embedded web videos, according to security researchers. Opening a file with such a 'bomb' and clicking on the video can trigger the execution of the JavaScript code in Windows. The Register reported here that attackers could exploit this technology to trick users into installing malware on Windows systems.

Since there is no official patch for the alleged vulnerability, a workaround is to block embedded video files or take other defenses to prevent dubious documents from affecting systems and networks.

The potential vulnerability was reported by security vendor Cymulate. The problem is how Microsoft Office 2016 and earlier versions handle video files built into Word .docx documents. If there are no security measures, the video footage opens a door for remote code execution.

Cymulate CTO Avihai Ben-Yossef says: "Attackers could use this for malicious purposes such as phishing, as the document will show the embedded online video with a link to YouTube, while disguising a hidden html/javascript code that will be running in the background and could potentially lead to further code execution scenarios."

This attack can be prepared by embedding a video (link) in a Word document. The content of the .docx file can then be unpacked and the XML file document.xml may be edited. The attacker then may replaces the link to the external video with a manipulated payload. To do this, he changes the embeddedHTML parameter to forward the iframe code of the video to any piece of HTML or JavaScript of his choice. This allows the Internet Explorer Download Manager to be opened using the embedded code file for execution.


Currently I no idea how critical the vulnerability is and under which constellations it works. Details can be found at Cymulate (but a security solutions is advertised immediately via chat) and at The Register.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *