Saturday, May 24, 2025
HomeComputer SecurityUnpatched Critical Bug in Microsoft Word Online Video Feature Allow Attacker to...

Unpatched Critical Bug in Microsoft Word Online Video Feature Allow Attacker to Deliver Powerful Malware

Published on

SIEM as a Service

Follow Us on Google News

An unpatched bug that abusing Microsoft word Online Video future that allow an attacker to deliver malicious files into the victim’s system.

A bug that existing in the JavaScript code execution within the office-embedded video component leads attackers to execute the malicious code.

This flaw affected Office 2016 and older versions and it will not produce any security warning while victims opening the document.

- Advertisement - Google News

Researchers built a Proof-of-concept for this attack using youtube video link with word document and demonstrate the infection process.

This flaw allows let an attacker execute the powerful malware or ransomware also they will use the evasion technique to avoid the security software detection.

How Does This Attack Works

Malicious hackers having an embedded video link inside of the Microsoft word document and send to victims via phishing mail that trick users to open it.

Embedded video contains a link that pointed to YOUTUBE and the hidden html/javascript code that will be running in the background.

According to cymulate, This attack is carried out by embedding a video inside a Word document, editing the XML file named document.xml, replacing the video link with a crafted payload created by the attacker which opens Internet Explorer Download Manager with the embedded code execution file.

Embed an online video option within the word document and link any YouTube video and save the document.

Later unpack the word document using unpacker or change the extension as zip and unzip it where you can find the several files along with word folder.

Word document contains a file called document.xml and find the  embeddedHtml parameter in order to identify the Youtube iframe code and Replace the current iframe code with any html code / javascript to be rendered by Internet Explorer.

A researcher from cymulate created a PoC that contains the embedded executable (as a blob of a base64). Once run, this code will use the msSaveOrOpenBlob method to trigger the download of the executable by opening Internet Explorer Download Manager with the option to run or save the file.

Mitigation:

Block Word documents containing the tag: “embeddedHtml” in the Document.xml file of the word documents.

Block word documents containing an embedded video.

Read:

Patched MS Office RCE Vulnerability Again Abused Windows Installer and Delivering a Keylogger

SmokeLoader Malware Abusing MS Office Document and Compromise Windows 8 ,10 Users PC

Lazarus Hacking Group Delivering RATANKBA Malware & Remote Hacking Tool Via MS Office Documents

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

GenAI Assistant DIANNA Uncovers New Obfuscated Malware

Deep Instinct’s GenAI-powered assistant, DIANNA, has identified a sophisticated new malware strain dubbed BypassERWDirectSyscallShellcodeLoader. This...

New Formjacking Malware Targets E-Commerce Sites to Steal Credit Card Data

A disturbing new formjacking malware has emerged, specifically targeting WooCommerce-based e-commerce sites to steal...