Last Updated: 2019-07-06 23:38:52 UTC
by Didier Stevens (Version: 1)
Now, malicious XSL files will not execute just by double-clicking them. On a default Windows install, Internet Explorer will be lanched to display the content of the file as XML:
But in this case, the malicious Word document contains VBA code that will launch a WMIC query with the XSL file as stylesheet:
This results in the execution of the code inside the XSL file, as discovered and reported by subTee/Casey Smith last year.