Microsoft Office XSS Flaw Let Attackers Execute Arbitrary Code

A recently discovered vulnerability in Microsoft Office Word has raised concerns over the security of the popular productivity suite. 

This security flaw, classified as a Cross-Site Scripting (XSS) vulnerability, allows attackers to execute arbitrary JavaScript code within a Word document.

The XSS Vulnerability

Various Office products, including Microsoft Word, offer a feature that allows users to insert external videos into documents through the “Online Videos” tab.

When a user attempts to play an external video embedded in a document, the Office checks to determine whether the source of the external video is trustworthy. 

This check involves applying a regular expression to the video’s URL, which includes trusted sources like YouTube.

If the source is deemed trustworthy, the Office requests to fetch data such as the video’s title or thumbnail. However, the vulnerability arises in how Office handles the video’s title within the HTML iframe tag.

The server responds with information, including the video’s title, description, and the HTML iframe tag. 

The issue is that the server adds the video’s title to the “title” attribute of the iframe tag without proper validation. 

As a result, attackers can manipulate the iframe tag by adding an “unload” attribute, enabling them to inject arbitrary JavaScript code.

Exploitation

To exploit this vulnerability, an attacker can create a YouTube video with a title that includes a payload for inserting the “onload” attribute, reads the PKsecurity report. 

Then, they insert the URL of this malicious video into a Word document using the Online Videos tab. When the video is played, the injected JavaScript code is executed.

Here is a simplified overview of the steps an attacker would take to exploit this flaw:

1. Create a YouTube video with a payload in the title.
2. Insert the URL of the malicious video into a Word document.
3. Set up a web server to serve malicious JavaScript code.

Implications

This vulnerability allows attackers to execute arbitrary JavaScript code when a video embedded in a Word document is played. 

While it may not seem immediately alarming, it’s worth noting that past critical exploits in Office applications often began with the execution of arbitrary JavaScript.

Exploiting this vulnerability could potentially lead to a critical Remote Code Execution (RCE) vulnerability if combined with a new vulnerable Uniform Resource Identifier (URI). 

This makes it crucial for Microsoft to address and patch this issue promptly. The Microsoft Office XSS flaw underscores the importance of keeping software up to date and being cautious about the content embedded in documents. 

Users should be aware of potential security risks associated with video content, especially when it comes from untrusted sources.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.