Cyber Security Researchers found Business Logical bug in the Microsoft word version 2016 or older than. By using this vulnerability attacker can embed malicious code in the word file and this code will execute at run time of the document.
Business logical bug is little different with the other severity vulnerabilities. Business logic vulnerabilities are methods of using the authorized processing flow or behaviour of an application in a way that responses in a negative consequence to the organization.
Comments from Manish kumawat, Director at Cryptus Cyber Security Pvt Ltd, an organisation that provides Cyber Security Services, Corporate Training to the govt. & Private organisations.
When a user attaches an online YouTube video link to an MS Word file, the Online Video attach option automatically creates an HTML embed script code, which is executed when the thumbnail inside the document is clicked by the viewer which will be executed when user clicks on the video thumbnail in MS word document.
The document.xml file which is used the attached code of embed video link, that code can be replace with a malicious code of java script or html.In another way, an attacker can replace the original video code with a malicious code which will infect the victim system.
Discovered by researchers at Cymulate, the vulnerability affects the ‘Online Video’ feature in Word file, this option that allows users to attach an online YouTube Link.To prove the vulnerability, Cymulate researchers created a proof-of-concept attack, demonstrating how How the malicious code infect the victim computer.
Cymulate researchers reported this bug, which impacts all users of MS Office 2016 and older versions, three months ago to Microsoft, but the company rejected to acknowledge it as a security bug.
Microsoft has no plans to patch this logical bug and says its software is “properly interpreting HTML as designed.”
Your email address will not be published. Required fields are marked *
Save my name, email, and website in this browser for the next time I comment.
Copyright © 2014 - 2021 The Global Indian New Network (TGINN)