Vulnerability in Word could allow the execution of mining code
bitcoin·@briseth·
0.000 HBDVulnerability in Word could allow the execution of mining code
https://cdn.coincrispy.com/wp-content/uploads/2018/02/acceder-webs-bloqueadas-espana.jpg The computer security researchers of the firm Votiro have revealed that encryption scripts that mine cryptocurrencies through JavaScript can also be executed within Microsoft Word files. ## ¿Is it possible to mine cryptocurrencies through Word? The vulnerability is driven by a feature that has been incorporated into recent versions of Word, which gives users the ability to embed Internet videos within their documents without the need to add a video directly to the document. In this way, when users copy and paste the link into a pop-up Word window, the video will be shown in the document the next time they open it. However, researchers from the Israeli firm Votiro have revealed that hackers could take advantage of this video embedding function to add mining scripts and mining Monero without the user knowing. In this sense, the researcher Amit Dori, of Votiro, affirms that this is possible thanks to the fact that Word allows iframe code to be inserted from any website, without validating whether or not it is a video. In addition, Dori ensures that the pop-up window where this video is played is nothing more than an Internet Explorer window. For the user this situation is transparent, because the window does not include the typical browser window frame. ## Phishing vulnerability A hacker could exploit this vulnerability in Word by inserting a video that is uploaded to his server in a Word document, and when the victim opens it, Internet Explorer would execute the mining code from the hacker's server. However, Votiro's report affirms that the seriousness of this issue is not that hackers can undermine cryptocurrencies through Word, since in that case, the video must be reproduced for a long time so that the hacker obtains some benefit. In particular, the biggest problem is that this vulnerability can open the door to phishing attacks. For example, the hacker would have the ability to display fake versions of official websites to obtain credentials and private user data, such as opening a home page similar to Office 365 and requesting the user's username and password. . The company has reported the problem to Microsoft, however, Dori revealed that it is not a serious security problem, as even some antivirus detect it.