ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
As part of the December 2017 Patch Tuesday, Microsoft has shipped an Office update that disables the DDE feature in Word applications, after several malware campaigns have abused this feature to install malware.
DDE stands for Dynamic Data Exchange, and this is an Office feature that allows an Office application to load data from other Office applications. For example, a Word file can update a table by pulling data from an Excel file every time the Word file is opened.
DDE is an old feature, which Microsoft has superseded via the newer Object Linking and Embedding (OLE) toolkit, but DDE is still supported by Office applications.
DDE feature abused to install malware
In October 2017, security researchers from SensePost published a tutorial on how the DDE feature could be weaponized and abused to distribute malware.
Even if DDE has been abused to distribute malware in the ’90s, the new methods explained in the SensePost tutorial were quickly adopted by malware distributors, first by FIN7, a group of hackers specialized in hitting financial organizations, and then by distributors of mundane malware.
At the time, Microsoft did not consider DDE a vulnerability in the Office suite but said it was just another legitimate feature abused to distribute malware.
The reason why Microsoft did not consider DDE attacks to be security issues is that Office shows warnings before opening the files. This is just another case where malware authors have found a creative way of abusing a legitimate feature, like with OLE and macros, for which Microsoft also warns users before running.
December 2017 Patch Tuesday disables DDE in Word
As new campaigns leveraging the DDE technique started to become more widespread, Microsoft’s security team slowly began to change its mind.
The first sign was when Microsoft put out Security Advisory 4053440 in mid-October, which contained details about how users could disable the DDE feature in Office applications that support it, such as Word, Outlook, and Excel.
This past Tuesday, Microsoft took a radical step to disable DDE inside Word altogether. This has been done by Office Defense in Depth Update ADV170021.
This update adds a new Windows registry key that controls the DDE feature’s status for the Word app. The default value disables DDE. Here are registry key’s values, if users need to re-enable DDE in Word.
2. Set the DWORD value based on your requirements as follows:
AllowDDE(DWORD) = 0: To disable DDE. This is the default setting after you install the update.
AllowDDE(DWORD) = 1: To allow DDE requests to an already running program, but prevent DDE requests that require another executable program to be launched.
AllowDDE(DWORD) = 2: To fully allow DDE requests.
Microsoft has paid close attention to DDE’s recent abuse so much so that ADV170021 also included updates for Word 2003 and 2007, two versions it officially stopped supporting.
The company is aware that many users and enterprises still deploy these two versions and has delivered an out-of-band emergency update to protect customers from further abuse.
Microsoft will continue to support DDE inside Excel and Outlook, where this feature will remain enabled by default. The company advises users to read Security Advisory 4053440, where it details methods to disable DDE support via GUI options or Windows registry modifications.
At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.
Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.