Researchers exploit Microsoft Word using embedded video feature

30 Oct 2018

Microsoft Word app. Image: dennizn/Depositphotos

Researchers at Cymulate found a security flaw in Microsoft Word.

Major airline Cathay Pacific last week announced it had become the victim of a massive data breach, with up to 9.4m passengers’ data affected. The airline said the combination of leaked data varied from customer to customer, but may have included passport numbers and email addresses.

Meanwhile, Apple CEO Tim Cook took to the stage for a keynote address at the International Conference of Data Protection and Privacy Commissioners, where he called for better privacy legislation in the US. Cook criticised the “data industrial complex” and described the actions of some tech firms as “surveillance”.

Read on for your fill of enterprise stories from the week gone by.

Microsoft Word flaw flagged by researchers

Security firm Cymulate said its researchers have found a way to infect computers via Word documents without triggering a security warning. The attack in question exploits a feature that allows document writers to embed videos directly into Word files. Attackers are able to replace the video’s iframe code with a payload by editing the ‘document.xml’ file. This can then be used to conduct a phishing attack.

According to Cymulate, it affects those who use Microsoft Office 2016 or older.

Microsoft said: “The product is properly interpreting html as designed – working in the same manner as similar products.” It recommended blocking Word documents that contain an ‘embeddedHtml’ tag in their ‘document.xml’ file and additionally blocking those with embedded video.

Girl Scouts branch in California hit by data breach

A Girl Scouts of America branch in Orange County, California, was hacked, exposing the information of 2,800 members and their families. According to Dark Reading, an unknown third-party actor accessed an email account operated by the branch, using the account to send their own messages.

As a result, the attacker may have been able to obtain personal data with their account access. Information possibly exposed includes home addresses, insurance policy numbers and birthdates of members. The branch said it is planning to start using a secure portal for processing the travel data of its troop.

US bans exports to Chinese semiconductor firm

The Trump administration has cut off Fujian Jinhua from US suppliers as the Chinese state-backed chipmaker fields accusations of intellectual property theft. The US government has put the company on a list of entities forbidden from buying circuits, software and technology goods from US firms.

According to Reuters, the US is concerned that Fujian Jinhua could flood the market with cheap chips. Micron, a US firm, has accused the Chinese business of stealing chip designs, along with a Taiwanese partner company.

Facebook removes fake accounts linked to Iran

Facebook said it has removed 82 pages, groups and accounts linked to Iran. It said they were created to look like they were being run by US and UK citizens.

Head of cybersecurity policy, Nathaniel Gleicher, said: “The page administrators and account owners typically represented themselves as US citizens – or, in a few cases, UK citizens – and they posted about politically charged topics such as race relations, opposition to the president and immigration.”

The company added that it now has more than 20,000 staff working specifically on security and safety on the platform.

Microsoft Word app logo. Image: dennizn/Depositphotos

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com