A security researcher found a possible exploit in Microsoft’s PowerPoint that would let an attacker run an application when the user simply hovers with the mouse over a link.
By default, PowerPoint won’t open an application when the user hovers the cursor over a link. Microsoft fixed this vulnerability a while ago, so it’s no longer possible to run local apps in this manner.
But a security researcher found a way to skirt this restriction by having the same hover action run the “HyperLink To” action and set it to an “Other file.” Making matters worse, the action can link both to a local file and a remote one, since SMB connections in Windows 10 are possible over the Internet, even when the ports are closed. An attacker only needs a webserver that supports the WEBDAV extension.
Then comes the tricky part, and the reason Microsoft didn’t want to patch the problem, according to the researcher. When the user hovers over the link, a pop-up shows, and the user needs to hit OK and Run to allow the binary to run. Technically, this also involves a social engineering attack, which is more complex and requires users to agree to actions.
“Also if a HTTP/HTTPS url is linked with the hyperlink action, then the OS would download the file using a browser on the system at which point Windows Defender/Smartscreen would kick in indicating that it is an untrusted file and even if we hit ‘Run’, it will quarantine the file, so an attacker can bypass that using this method,” explains the researcher.
Interestingly, similar attacks are used right now that involve the use of Macros in Office files. Even if Macros are disabled on the user’s side, if they accept the pop-up that warns them about running Macros, the attack continues unabated.