Microsoft Word

2022

Ability to remotely execute arbitrary code using a 0-day vulnerability

On May 30, 2022, it became known that a 0-day vulnerability in Office allows an attacker to remotely execute arbitrary code.

Cybersecurity researcher Nao_sec discovered a malicious document Word 05-2022-0438.doc, which was uploaded to VirusTotal by a user from Belarus. The document uses the remote template function to extract HTML, and then uses the "ms-msdt" schema to execute PowerShell code. The problem affects Microsoft Office, Office 2016 and Office 2021. Cybersecurity expert Kevin Beaumont has published an analysis of the vulnerability.

"The document uses the remote Word template function to extract an HTML file from a remote server that uses the ms-msdt MSProtocol URI schema to load code and execute PowerShell scripts," wrote Beaumont in the report.

"The first problem is that Microsoft Word executes code through the ms-msdt support tool even with macros disabled. Protected viewing is started, but if you change the document to RTF format, protected viewing is enabled even without opening the document (through the preview tab in Explorer), "- added researcher.

Microsoft began to block the execution of VBA macro scripts in five Microsoft Office applications. Since the beginning of April 2022, Microsoft Access, Excel, PowerPoint, Visio and Word cannot enable macro scripts in unreliable documents downloaded from the Internet.

Microsoft also increased the amount of payments for detecting "significant" vulnerabilities in Office 365 as part of the vulnerability detection reward program.^[1]

Default Macro Lock

On February 8, 2022, it became known that Microsoft will block the execution of VBA macro scripts in five Microsoft Office applications by default. Since the beginning of April 2022, Microsoft Access, Excel, PowerPoint, Visio and Word users will not be able to include macro scripts in unreliable documents downloaded from the Internet. Read more here.

2021: Announcing a tool that turns a Word document into a PowerPoint presentation

At the end of March 2021, Microsoft announced the launch of a tool for the web version of Word, which allows users to convert text documents into PowerPoint presentations. The new conversion feature, which was previously only available to Office Insider members, is now available to all Microsoft 365 subscribers.

This feature leverages artificial intelligence (AI) capabilities to save you time and provide options for creating Designer-based slides in PowerPoint. Slides use section headings, so before you use, make sure that your Word document is organized accordingly for optimal suggestions. Based on keywords in the Designer document, PowerPoint will select images, icons, videos, themes, and fonts to organize content. If necessary, you can always edit the options offered by the algorithm, the company explained in a blog post.

Microsoft introduced a tool that turns a Word document into a PowerPoint presentation

To get started, just open the desired document in Word and select the Export option from the File menu. After that, you need to select the item "Export to a PowerPoint presentation," select the design of interest and wait until the necessary transformations are performed. When the file is finished, the user will be prompted to specify the name of the resulting presentation, and the file will be automatically saved to the user's root folder OneDrive.

By March 23, 2021, this feature only works with English-language documents and is incompatible with some browsers, including Safari and Internet Explorer. In addition, while the service works only with text documents and does not support other multimedia content, such as images, so they will have to be inserted into the presentation manually.^[2]

Notes