Oct 06 2023

Microsoft Office XSS Flaw Let Attackers Execute Arbitrary Code

Category: Cyber Attack,Remote codedisc7 @ 6:46 am

A recently discovered vulnerability in Microsoft Office Word has raised concerns over the security of the popular productivity suite. 

This security flaw, classified as a Cross-Site Scripting (XSS) vulnerability, allows attackers to execute arbitrary JavaScript code within a Word document.

The XSS Vulnerability

Various Office products, including Microsoft Word, offer a feature that allows users to insert external videos into documents through the “Online Videos” tab.

The XSS Vulnerability

When a user attempts to play an external video embedded in a document, the Office checks to determine whether the source of the external video is trustworthy. 

This check involves applying a regular expression to the video’s URL, which includes trusted sources like YouTube.

If the source is deemed trustworthy, the Office requests to fetch data such as the video’s title or thumbnail. However, the vulnerability arises in how Office handles the video’s title within the HTML iframe tag.

The server responds with information, including the video’s title, description, and the HTML iframe tag. 

The issue is that the server adds the video’s title to the “title” attribute of the iframe tag without proper validation. 

As a result, attackers can manipulate the iframe tag by adding an “unload” attribute, enabling them to inject arbitrary JavaScript code.

Exploitation

To exploit this vulnerability, an attacker can create a YouTube video with a title that includes a payload for inserting the “onload” attribute, reads the PKsecurity report

Then, they insert the URL of this malicious video into a Word document using the Online Videos tab. When the video is played, the injected JavaScript code is executed.

Exploitation
Exploitation

Here is a simplified overview of the steps an attacker would take to exploit this flaw:

  1. Create a YouTube video with a payload in the title.
  2. Insert the URL of the malicious video into a Word document.
  3. Set up a web server to serve malicious JavaScript code.

Implications

This vulnerability allows attackers to execute arbitrary JavaScript code when a video embedded in a Word document is played. 

While it may not seem immediately alarming, it’s worth noting that past critical exploits in Office applications often began with the execution of arbitrary JavaScript.

Exploiting this vulnerability could potentially lead to a critical Remote Code Execution (RCE) vulnerability if combined with a new vulnerable Uniform Resource Identifier (URI). 

This makes it crucial for Microsoft to address and patch this issue promptly. The Microsoft Office XSS flaw underscores the importance of keeping software up to date and being cautious about the content embedded in documents. 

Users should be aware of potential security risks associated with video content, especially when it comes from untrusted sources.

Cross Site Scripting: XSS Defense Made Easy

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: cross site scripting, Execute Arbitrary Code, XSS Flaw


Mar 24 2010

8 tips for safer online shopping

Category: Information SecurityDISC @ 6:14 pm

By Microsoft.com
Online threats today come in the form of attacks on you and attacks on your computer. Here are eight (8) ways for you to have a safer online shopping experience:

1. Keep your computer software up to date.
Keep all software (including your web browser) current with automatic updates. If you are not already running Internet Explorer 8, the latest version of our web browser, click the button to the right to get it.

2. Defend your computer.
Use firewall, antivirus, antispam, and antispyware software. For an added layer of protection on your PC, you can download Microsoft Security Essentials for free or find other antivirus solutions.

3. Avoid phishing scams and malware.
By default Internet Explorer 8 runs SmartScreen Filter to help block and warn you of malicious software or phishing threats. SmartScreen Filter alerts you if a site you are trying to open has been reported as unsafe and allows you to report any unsafe sites you find.

4. Protect yourself from emerging threats
Cross-site scripting attacks are one of the increasingly sophisticated methods online criminals use to get your personal information. By default Internet Explorer 8 helps protect you against these attacks with a built-in Cross Site Scripting (XSS) Filter that is always on.

5. Identify fake Web addresses.
Internet Explorer 8 helps you avoid deceptive websites that can trick you with misleading addresses. The domain name in the address bar is highlighted in black to make it easier to identify a site’s true identity.

6. Browse more privately.
When you’re using a public computer to check e-mail or you’re shopping for a “surprise” gift on a family PC, it’s a good idea to use InPrivate Browsing—a feature that helps prevent your browsing history, cookies, and other information from being retained on your computer.

7. Make sure payment websites use encryption.
To confirm that a website uses encryption when processing credit card information, look for:

■ An “s” after http in the Web address—it should read https:

■ A tiny closed padlock in the address bar, or at the lower-right corner of the window.

■ A green address bar—Internet Explorer 8 uses this to indicate a trustworthy site.

8. Never respond to unsolicited requests to update your account information.
These e-mail messages might be scams for stealing your identity. Most legitimate companies never send unsolicited e-mail or instant message requests for your passwords or other personal information. And remember, if it sounds too good to be true, it probably is.




Tags: cross site scripting, Internet Explorer, Internet Explorer 8, Malware, Microsoft Security Essentials, phishing, Web browser


Sep 04 2008

Web 2.0 and more data

Category: Information Security,Web 2.0DISC @ 5:52 pm

According to the Identity Theft Resource Center of San Diego, “the data breaches are on the rise in 2008” and with more data breaches so are the impact and amount of losses. Web 2.0 is next phase of internet creation, where huge social networks are built and citizens of the network enjoy the interactive and conversational approach of the new web frontier. Does the web 2.0 introduce new threats which can be exploited by cyber criminals?

To aid a social communication, users are required to input personal profile including birth date and residence addresses into these social networks to participate, which happens to provide a target rich environment for cyber criminals. These days new attacks are already taking advantage of personal information, some of which is retrieved from social network sites. If the account is hacked/breached from one of these social network sites, the impersonator can damage the (personal and professional) reputation by modifying the profile or changing/inserting the contents or comments.

Cross site scripting is one of the major threat facing Web 2.0, below is an example of XSS.

“In an incident reported in early December 2006 by Websense, hackers compromised the MySpace social networking site and infected hundreds of user profiles with a worm. This malicious code exploited a known vulnerability to replace the legitimate links on the user profiles with links to a phishing site, where victims were asked to submit their username and password. In addition, according to Websense, the worm embedded infected video in victims’ user profiles.”

AJAX is one of the main programming languages used to develop Web 2.0.

“A traditional Web site is like a house with no windows and just a front door. An AJAX Web site is like a house with a ton of windows and a sliding door. You can put the biggest locks on your front and back doors, but I can still get in through a window.”

What if you happen to be a peace activist or a whistle blower in your company? Then perhaps Uncle Sam or your employer wants to settle scores with you for some reason. The question is who is monitoring them or for that matter stopping them from getting into your account to steal or modify data to damage your reputation or career? The point is, besides all the functional benefits, web 2.0 comes with new threats which we need to be aware of. Without knowing these risks we can’t manage or mitigate them to a point which is acceptable to the society at large.

Web 2.0 contents are mostly interactive or dynamic in nature. The tools which were used to defend static contents might not be feasible for dynamic web 2.0 contents. Non-repudiation, validating the source and real time verification of the contents might be necessary to stay on top of the dynamic nature of web 2.0 threats.

Web 2.0 – Opportunity 2.0 or Threat 2.0?

How freely available online infomation on Web 2.0 was utilized to break into online banking account

Web 2.0 … The Machine is Us/ing Us

httpv://www.youtube.com/watch?v=6gmP4nk0EOE


(Free Two-Day Shipping from Amazon Prime). Great books




Tags: ajax, cross site scripting, cyber criminals, data breaches, identity theaft, mitigate, non-repudiation, phishing, Web 2.0, web 2.0 threats, websense, xss