Full Report
Microsoft office allows users to put videos into Word from external locations, such as YouTube, via the Online Videos feature. When the video is embedded in the document, Office checks that the video is from a trustworthy via a regex. If the link is proper, then it will make a web request to get information about the video title and other information. While it's doing the processing of the title, it adds it into an iFrame tag without input validation. This turns into a classic HTML injection vulnerability via the title within the iFrame. Using this, the context of the iFrame attribute can be escaped, leading to the ability to add other attributes. The beginning of the payload is simply " onload=..." Loading arbitrary JavaScript into the iFrame is game over for Word. An attacker can make a request to an arbitrary location then execute this code dynamically to get RCE. Returning the malicious JavaScript can be used to load arbitrary applications. The example JS is window.open("calculator://. This does require some user interaction but nonetheless it's interesting seeing XSS within such a weird contest.
Analysis Summary
# Vulnerability: Microsoft Office Online Video HTML Injection (XSS)
## CVE Details
- **CVE ID:** CVE-2023-36895 (Note: While the article focuses on the discovery, this corresponds to the Microsoft Office 2023 RCE/XSS patches).
- **CVSS Score:** 7.8 (High) / 8.8 (Critical) depending on version.
- **CWE:** CWE-79 (Improper Neutralization of Input During Web Page Generation / Cross-site Scripting)
## Affected Systems
- **Products:** Microsoft Word, Office 365 Word.
- **Versions:** Tested on Microsoft Word for Microsoft 365 MSO (Version 2306 Build 16.0.16529.20164) 64-bit. Likely impacts all versions prior to September 2023 updates.
- **Configurations:** Systems where "Online Videos" can be embedded and played within the application.
## Vulnerability Description
When a user inserts an "Online Video," Word validates the URL (e.g., YouTube, Vimeo) using a regex. If valid, it queries `hubble.officeapps.live.com` for metadata. The server returns a JSON response containing the video's title.
The vulnerability exists in how Microsoft Word (specifically via `wwlib!XszCreateVideoHTML`) processes this title. Word inserts the title directly into the `title` attribute of an HTML `<iframe>` tag without proper encoding or validation. By using a title beginning with a double quote ( `"` ), an attacker can escape the attribute and inject an `onload` event handler. Because the resulting HTML is rendered via Edge WebView with `allow-scripts` enabled, the injected JavaScript executes in the context of the local application.
## Exploitation
- **Status:** PoC Available / Publicly Documented.
- **Complexity:** Medium (Requires creating/hosting a video with a malicious title or spoofing the API response).
- **Attack Vector:** Network (External video metadata).
- **User Interaction:** Required (The victim must click specifically to "play" the embedded video).
## Impact
- **Confidentiality:** High (Ability to execute JS and access local cache/data).
- **Integrity:** High (Execution of arbitrary JS can be chained with URI schemes like `ms-msdt:` or `calculator:` to run local applications).
- **Availability:** High.
## Remediation
### Patches
- Microsoft released patches for this vulnerability class in the **September 2023 Patch Tuesday** updates. Users should update Office to the latest build (Build 16.0.16731.20170 or later).
### Workarounds
- Disable the "Online Video" feature via Group Policy if embedding external content is not required.
- Standard attack surface reduction (ASR) rules that block Office applications from creating child processes.
## Detection
- **Indicators of Compromise:**
- Presence of unusual HTML files in `%LOCALAPPDATA%\Microsoft\Windows\INetCache\Content.Word`.
- Network requests to `hubble.officeapps.live.com/mediasvc/api/media/oembed` containing suspicious video URLs.
- **Detection Methods:**
- Monitor for Office applications spawning unusual child processes (e.g., `cmd.exe`, `powershell.exe`, or protocol handlers like `ms-msdt`).
- Use web filtering to inspect metadata responses for JavaScript keywords (`onload`, `eval`, `fetch`) within the "title" field.
## References
- hxxps://blog.pksecurity.io/2023/10/04/microsoft-office.html
- hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36895
- hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190 (Related exploitation technique)