Vulnerability affects the online amp-video feature in Office versions 2016 and older

UPDATED A bug found in a Microsoft Word UI feature can be exploited by attackers to facilitate their phishing campaigns, a cybersecurity firm has warned.

The vulnerability is present in Microsoft Word’s online amp-video feature, which allows a user to embed a amp-video, say from YouTube, into a document.

Attackers are able to replace the amp-video’s iframe code with a payload simply by editing the document.xml file, said Cymulate, the company that discovered the issue.

“This logical bug is revealed when a user embeds a amp-video via the ‘online amp-video’ feature,” Cymulate announced in a press release published yesterday.

“It resides in the .xml file, where a parameter called embeddedHtml refers to a YouTube iframe code. Hackers can replace the current YouTube iframe code with malicious html/JavaScript that would be rendered by Internet Explorer.”

The exploit could be used to conduct a phishing attack, where a victim would be tricked into clicking a malicious link and subsequently hand over their personal information to cybercriminals.

An attacker could also use this feature to trick users into installing a fake software update, the Israeli firm said.

Cymulate noted that the vulnerability affects those using Microsoft Office 2016 or older, and that it had reported the issue to tech giant alongside releasing a proof of concept.

But Microsoft appeared unconcerned, senior director Jeff Jones, telling The Daily Swig, “The product is properly interpreting html as designed – working in the same manner as similar products.” 

It recommends blocking Word documents that contain an embeddedHtml tag in their Document.xml file, or additionally blocking those that have embedded amp-video.

This article has been updated to include comment from Microsoft.


RELATED Are hacking tutorials illegal? YouTube seems to think so