Hovering over a link in a malicious PowerPoint file can execute malware

Jack Wilkinson

A new vulnerability has been found that can allow malware to spread by just hovering over a link in a PowerPoint document (via Ars Technica).

This kind of attack is different, as it doesn’t require the use of macros or scripts as seen in previous attacks, instead merely hovering over what could seem like a legitimate link is enough to kickstart the infection process.

The attack works by using Windows PowerShell. Newer versions of PowerPoint will ask users whether they’d like to exit Protected View, whereas older versions are less protected.

One example where this trick can be used is by placing a malicious link in a PowerPoint that says “Loading…” – users are then likely to disable Protected View to see the full document, hover over the link and unknowingly infect their PC with malware.

While there is no fix so far, users are recommended to be weary of which PowerPoint documents they open and which links they hover over.