Press release content from BusinessWire. The AP news staff was not involved in its creation.
PRESS RELEASE: Paid content from BusinessWire
Press release content from BusinessWire. The AP news staff was not involved in its creation.

Cymulate Finds Logical Bug in Microsoft Office Suite – Word Embedded Video Code Execution

October 25, 2018 GMT

TEL AVIV, Israel--(BUSINESS WIRE)--Oct 25, 2018--Cymulate, a leading provider of Breach & Attack Simulation (BAS) solutions and a Gartner 2018 Cool Vendor, announced today it has uncovered a security flaw in Microsoft Office Suite which may affect Word users.


This press release features multimedia. View the full release here:

Cymulate’s security research team identified the bug and notified Microsoft. The security flaw was identified as a JavaScript code execution within the office-embedded video component. It has the potential to impact all users with Office 2016 and older versions of the popular Productivity Suite. Cymulate noted that no configuration was required to reproduce the issue and no security warning is presented while opening this document with Microsoft Word.

“We are proud of our security research team who discovered and identified this bug. The team continuously monitors the cyber-threat landscape to provide a thorough view of emerging threats, constantly updating our platform so our users can validate if they are vulnerable to the latest and most advanced threats,” said Avihai Ben-Yossef, co-founder and CTO of Cymulate.

This logical bug is revealed when a user embeds a video via the ‘online video’ feature. It resides in the .xml file, where a parameter called embeddedHtml refers to a YouTube iframe code. Hackers can replace the current YouTube iframe code with malicious html /JavaScript that would be rendered by Internet Explorer.

One way attackers can use this unauthorized entry is by phishing.

The video shows how an attacker would use this feature to trick users to install a required fake software update.

Read all the technical details on the Cymulate blog here.

Cymulate has notified Microsoft of this bug.


About Cymulate

Cymulate helps companies to stay one step ahead of cyber attackers with a unique breach and attack simulation platform that empowers organizations with complex security solutions to safeguard their business-critical assets. By mimicking the myriad of strategies hackers deploy, the system allows businesses to assess their true preparedness to handle cyber security threats effectively. For more information, visit and register for a Free Trial.

View source version on

CONTACT: For Cymulate

Marianne Sabella-Dempsey, 617-233-8675



SOURCE: Cymulate

Copyright Business Wire 2018.

PUB: 10/25/2018 11:45 AM/DISC: 10/25/2018 11:45 AM