As part of the December 2017 Patch Tuesday, Microsoft has shipped an Office update that disables the DDE feature in Word applications, after several malware campaigns have abused this feature to install malware.
DDE stands for Dynamic Data Exchange, and this is an Office feature that allows an Office application to load data from other Office applications. For example, a Word file can update a table by pulling data from an Excel file every time the Word file is opened.
DDE is an old feature, which Microsoft has superseded via the newer Object Linking and Embedding (OLE) toolkit, but DDE is still supported by Office applications.
DDE feature abused to install malware
In October 2017, security researchers from SensePost published a tutorial on how the DDE feature could be weaponized and abused to distribute malware.
Even if DDE has been abused to distribute malware in the '90s, the new methods explained in the SensePost tutorial were quickly adopted by malware distributors, first by FIN7, a group of hackers specialized in hitting financial organizations, and then by distributors of mundane malware.
At the time, Microsoft did not consider DDE a vulnerability in the Office suite but said it was just another legitimate feature abused to distribute malware.
The reason why Microsoft did not consider DDE attacks to be security issues is that Office shows warnings before opening the files. This is just another case where malware authors have found a creative way of abusing a legitimate feature, like with OLE and macros, for which Microsoft also warns users before running.
December 2017 Patch Tuesday disables DDE in Word
As new campaigns leveraging the DDE technique started to become more widespread, Microsoft's security team slowly began to change its mind.
The first sign was when Microsoft put out Security Advisory 4053440 in mid-October, which contained details about how users could disable the DDE feature in Office applications that support it, such as Word, Outlook, and Excel.
This past Tuesday, Microsoft took a radical step to disable DDE inside Word altogether. This has been done by Office Defense in Depth Update ADV170021.
This update adds a new Windows registry key that controls the DDE feature's status for the Word app. The default value disables DDE. Here are registry key's values, if users need to re-enable DDE in Word.
2. Set the DWORD value based on your requirements as follows:
AllowDDE(DWORD) = 0: To disable DDE. This is the default setting after you install the update.
AllowDDE(DWORD) = 1: To allow DDE requests to an already running program, but prevent DDE requests that require another executable program to be launched.
AllowDDE(DWORD) = 2: To fully allow DDE requests.
Microsoft has paid close attention to DDE's recent abuse so much so that ADV170021 also included updates for Word 2003 and 2007, two versions it officially stopped supporting.
The company is aware that many users and enterprises still deploy these two versions and has delivered an out-of-band emergency update to protect customers from further abuse.
Microsoft will continue to support DDE inside Excel and Outlook, where this feature will remain enabled by default. The company advises users to read Security Advisory 4053440, where it details methods to disable DDE support via GUI options or Windows registry modifications.
Comments
Occasional - 6 years ago
Obviously, Microsoft did not consider the avalanche of opportunities for intentional abuse, which would follow the change to the Internet paradigm.
The roots of the Office Suite run deep into the past (measured in compute cycle years), when installation, updates and malware (though the term was not known), was by floppy disk; and the only networking capabilities available to most was "sneaker-net" (people carried the floppy disks between nodes).
The mindset then was to enable as many features and conveniences for the end user as possible - that's what sold Office. There was very little thought given to protecting users from themselves, let alone from malicious exploitation.
Because the market was driven by compatibility and continuity (you could add new, as long as it would still run the old); mechanisms which had their day (like DDE), were kept in the cellar, just in case someone was still running a custom Office application that required them. Problem is, now anyone, anywhere in the world has access to that cellar - that's something Microsoft did not anticipate.
GT500 - 6 years ago
I made .reg files that can be imported into the registry to disable DDE for Word, Excel, and Outlook based on the information linked in the article. There's one for Office 2007, Office 2010, Office 2013, and Office 2016 and they can be found at the following link:
https://www.gt500.org/microsoft/Disable_DDE.zip
Note that I only have Office 2010, so it's the only one I can test. I copied the registry paths from the Microsoft article linked in this blog post, so in theory they are correct, and should work as expected.
Also note that the Office applications effected by these registry entries will need to be closed in order for the changes from the .reg files to take effect.
JDMArkansas - 6 years ago
I can see it now:
"Dateline April 1, 2018: General Motors announces that all forward gears on GM cars will now be disabled because it has been shown that they are the ones most often used by hit-and-run drivers to kill pedestrians and other drivers. It is expected that all other Detroit automakers will follow suit shortly."
How long will it be before personal computers will have ALL user-programmable features eliminated from them because of their potential for abuse in malware? Will Microsoft remove VBA from all MS Office products? Will Windows Command Line .BAT programs be eliminated from Windows? Will the only software that is allowed to run on MS Windows computers be that written by Microsoft Corporation and its "partners?"
The productivity of Windows computers is already seriously crippled by the necessity of continuously-running anti-malware programs and other security features.
How long will it take before computer users begin to demand that people convicted of serious computer crimes such as writing and intentionally releasing malware receive serious prison time instead of being hired by computer security firms with multi-million-dollar salaries? I would propose that anyone convicted of computer-related crimes be treated the way that child molesters are treated: Lifelong monitoring and being prohibited from ever owning, using any form of computer-related equipment, or working in any computer-related career for life.