Malicious actors can abuse Microsoft Word's Online Video feature to deliver videos that secretly exhaust their viewers' computer processing power in order to mine cryptocurrencies, according to Israeli cyber-security firm Votiro.
The Online Video feature allows users to insert remote videos directly into their documents without having to embed them. But a 20 February blog post from Votiro researcher Amit Dori claims due to that insufficient sanitisation, the feature makes Word software vulnerable to browser-based cryptojacking – specifically when victims use Internet Explorer, whose frame “fits perfectly for this scenario, as users can be tricked into watching an ‘innocent' video while, in the background, their CPU is being exhausted.”
Dori further reports that Word's Online Video feature can also be leveraged to silently redirect users to exploit gates and web pages, or display an online phishing page.
Votiro says that upon private disclosure, the Microsoft Security Response Center did not consider the findings to constitute a security issue.
Reached for comment, a Microsoft spokesperson gave SC Media the following statement: “This technique relies on social engineering to convince a user to open a malicious document and disable Protected View. We encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.” The spokesperson also cited a Microsoft web page containing information about staying safe online.
Votiro's blog post also notes that attackers must convince their victims to disable Protected View in order to redirect them to an exploit kit using the Word's Online Video feature, although it does not say that this step is needed for cryptomining.