Threat Management, Threat Management, Malware, Network Security, Phishing, Vulnerability Management

Researcher: Microsoft Word feature can be exploited to display videos that mine cryptocurrency

Malicious actors can abuse Microsoft Word's Online Video feature to deliver videos that secretly exhaust their viewers' computer processing power in order to mine cryptocurrencies, according to Israeli cybersecurity firm Votiro.

The Online Video feature allows users to insert remote videos directly into their documents without having to embed them. But a Feb. 20 blog post from Votiro researcher Amit Dori claims due to that insufficient sanitization, the feature makes Word software vulnerable to browser-based cryptojacking – specifically when victims use Internet Explorer, whose frame “fits perfectly for this scenario, as users can be tricked into watching an ‘innocent' video while, in the background, their CPU is being exhausted.”

Dori further reports that Word's Online Video feature can also be leveraged to silently redirect users to exploit gates and web pages, or display an online phishing page.

Votiro says that upon private disclosure, the Microsoft Security Response Center did not consider the findings to constitute a security issue.

Reached for comment, a Microsoft spokesperson gave SC Media the following statement: “This technique relies on social engineering to convince a user to open a malicious document and disable Protected View. We encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.” The spokesperson also cited a Microsoft web page containing information about staying safe online.

Votiro's blog post also notes that attackers must convince their victims to disable Protected View in order to redirect them to an exploit kit using the Word's Online Video feature, although it does not say that this step is needed for cryptomining.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.