Cymulate Finds Logical Bug in Microsoft Office Suite – Word Embedded Video Code Execution

Download

Loading media player...

Cymulate created a video to demonstrate the Microsoft bug.

TEL AVIV, Israel--()--Cymulate, a leading provider of Breach & Attack Simulation (BAS) solutions and a Gartner 2018 Cool Vendor, announced today it has uncovered a security flaw in Microsoft Office Suite which may affect Word users.

Cymulate’s security research team identified the bug and notified Microsoft. The security flaw was identified as a JavaScript code execution within the office-embedded video component. It has the potential to impact all users with Office 2016 and older versions of the popular Productivity Suite. Cymulate noted that no configuration was required to reproduce the issue and no security warning is presented while opening this document with Microsoft Word.

“We are proud of our security research team who discovered and identified this bug. The team continuously monitors the cyber-threat landscape to provide a thorough view of emerging threats, constantly updating our platform so our users can validate if they are vulnerable to the latest and most advanced threats,” said Avihai Ben-Yossef, co-founder and CTO of Cymulate.

This logical bug is revealed when a user embeds a video via the 'online video' feature. It resides in the .xml file, where a parameter called embeddedHtml refers to a YouTube iframe code. Hackers can replace the current YouTube iframe code with malicious html /JavaScript that would be rendered by Internet Explorer.

One way attackers can use this unauthorized entry is by phishing.

The video shows how an attacker would use this feature to trick users to install a required fake software update.

Read all the technical details on the Cymulate blog here.

Cymulate has notified Microsoft of this bug.

About Cymulate

Cymulate helps companies to stay one step ahead of cyber attackers with a unique breach and attack simulation platform that empowers organizations with complex security solutions to safeguard their business-critical assets. By mimicking the myriad of strategies hackers deploy, the system allows businesses to assess their true preparedness to handle cyber security threats effectively. For more information, visit www.cymulate.com and register for a Free Trial.

Contacts

For Cymulate
Marianne Sabella-Dempsey, 617-233-8675
mdempsey@rainierco.com

Contacts

For Cymulate
Marianne Sabella-Dempsey, 617-233-8675
mdempsey@rainierco.com