Quote:A stealthy malware delivery tactic has been uncovered in the way videos are embedded into Microsoft Word Documents, according to researchers. It allows JavaScript code-execution when a user clicks on a weaponized YouTube video thumbnail within a Word document – with no alert message displayed by Microsoft Office requesting user consent.

Researchers at Cymulate built a proof-of-concept attack using a YouTube video link and a Word document (although it’s possible to embed other kinds of video into Word, the researchers didn’t test those vectors, nor did it try this with other Office applications).

Word’s video-embedding feature creates an HTML script behind the video image, which is executed by Internet Explorer when the thumbnail inside the document is clicked.
According to a Cymulate analysis posted on Thursday, the team found that it’s possible to edit that HTML code to point to malware instead of the real YouTube video.