Security researchers have revealed a Microsoft Word vulnerability that involves cryptojacking scripts. Usually used to sap a machines resources for cryptocurrency, but can leave systems open to attack when exploited through Microsoft Word.
Israeli security company Votiro discovered the vulnerability in newer versions of Word. Specifically, a feature in the document program that allows users to embed videos from the internet. Microsoft created the feature to make video inclusion in documents easier as the user no longer needs to upload the content.
Of course, this is very useful, but has unfortunately also left a gap for malicious actors. The Word video player can be exploited to run cryptocurrency scripts to allow hackers to steal system resources for mining.
The vulnerability happens because Microsoft Word does not put restrictions on embed codes ad where they come from. This means a malicious code would be accepted by Word. Attackers do not even have to do a lot to exploit this flaw. They just need to host a video on their own domain and load a malicious script in the video.
When the video is opened in a Word file and played the cryptominer starts using machine resources to mine currency. Votiro provides one mitigation to protect against this vulnerability:
“We advise users to be suspicious when encountering a Word document bearing an Online Video, for as shown above, one might never know what it really holds. Also, it might be a good opportunity to ensure your machine is up-to-date with the latest security patches, especially Internet Explorer.”
Microsoft Word Vulnerabilities
This is not the first time Word has been vulnerable to attack. Last April, a zero-day security flaw in Word allowed an HTML document to infect systems with malicious content that allows attackers to control files.
The Microsoft Word document is created to look legitimate and passed through an email. It downloads an infection in the form of a malicious HTML application from a server. This is designed to look like a Rich Text document file.
In January, Microsoft patched Word for a vulnerability that has been in the software for nearly two decades.