Researchers at Israel-based cyberattack simulation company Cymulate are claiming to have found a vulnerability in Microsoft Word's online video feature that can allow malicious actors to replace legitimate YouTube iframe code with malicious HTML/JavaScript code.

In a company press release, Cymulate warns that the unpatched zero-day flaw requires no special configuration to reproduce and potentially affects all users of Office 2016 and older versions of the software suite.

Cymulate told SC Media that it disclosed the bug to Microsoft three months ago, noting however that the flaw did not qualify for an official CVE identifier.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.