I released CSRF in MSWord Part 1 a couple of weeks ago, where we utilise frames to backdoor Word documents. SANS Handlers commented on this find with some interesting points.

RSnake decided to play a little with this idea and has published CSRF with MSWord Part II where he has uncovered a really neat way to backdoor .doc files by adding HTML into the META section of the document. This reminds me alot of the technique used by pdp in Backdooring Quicktime. I havent tested this yet but am already getting ideas

It is scary to see typical web application vulnerabilities spreading to Word and others. My Backdooring PDF files article also exploited web features within an application. These issues were all found within a matter of hours not days and certainly not weeks. Low hanging fruit