Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Microsoft Security

Microsoft Disables Word DDE Feature To Prevent Further Malware Attacks (bleepingcomputer.com) 103

An anonymous reader writes: As part of the December 2017 Patch Tuesday, Microsoft has shipped an Office update that disables the DDE feature in Word applications, after several malware campaigns have abused this feature to install malware. DDE stands for Dynamic Data Exchange, and this is an Office feature that allows an Office application to load data from other Office applications. For example, a Word file can update a table by pulling data from an Excel file every time the Word file is opened. DDE is an old feature, which Microsoft has superseded via the newer Object Linking and Embedding (OLE) toolkit, but DDE is still supported by Office applications.

The December Patch Tuesday disables DDE only in Word, but not Excel or Outlook. The reason is that several cybercrime and spam groups have jumped on this technique, which is much more effective at running malicious code when compared to macros or OLE objects, as it requires minimal interaction with a UI popup that many users do not associate with malware. For Outlook and Excel, Microsoft has published instructions on how users can disable DDE on their own, if they don't want this feature enabled.

This discussion has been archived. No new comments can be posted.

Microsoft Disables Word DDE Feature To Prevent Further Malware Attacks

Comments Filter:
  • All well and good (Score:5, Insightful)

    by Ol Olsoc ( 1175323 ) on Monday December 18, 2017 @09:22AM (#55760609)
    But its a bloody nuisance when you work with something, then it suddenly goes away. Security through loss of function.
    • You can turn it back on with a registry key.
      • by OzPeter ( 195038 )

        You can turn it back on with a registry key.

        So what does it take to turn it on?

        Or in other words, can a bad actor sneakily turn it back on for you?

        • by EvilSS ( 557649 )

          You can turn it back on with a registry key.

          So what does it take to turn it on?

          Or in other words, can a bad actor sneakily turn it back on for you?

          If a bad actor can edit the registry then they don't need to turn on DDE, they already have plenty of access to your device.

        • So what does it take to turn it on?

          Like the parent post said, access to the registry. If an attacker has access to your Windows Registry, you're already screwed. He doesn't need to stage an attack through Word DDE; he already has everything.

    • DDE is Windows 3 tech that was deprecated when 32bit Windows came around (due to OLE/ActiveX). It was a *terrible* cross library/process communication mechanism, which no one has used in over two decades, except when left in for "Legacy compatibility". Outside of Office, the only other app that may be currently used that supports this archaic API is mIRC.
      • DDE is Windows 3 tech that was deprecated when 32bit Windows came around (due to OLE/ActiveX). It was a *terrible* cross library/process communication mechanism, which no one has used in over two decades, except when left in for "Legacy compatibility". Outside of Office, the only other app that may be currently used that supports this archaic API is mIRC.

        You are thinking specific, I'm talking about the generality of Microsoft disabling things that some users use. Apple does this too - I'm dealing with fallout of High Sierra turning thumbdrive encryption into a clusterfsck. When you have to keep finding new solutions to old challenges, it gets old real fast.

        • Frankly anyone with any good sense should have been avoiding DDE for 20 years. The reality is that Microsoft should have killed it in the late 90s. Even without considering the security implications, it's a goddamned awkward data exchange protocol compared to OLE. The fact that Microsoft maintained this antiquated protocol really is the problem.

        • If you are using something originally coded for Windows 2.0 and OS/2 [wikipedia.org] it might be time to actually upgrade to something newer, like say this century?
      • It is actually not terrible. It is super simple. More or less a socket.

        Outside of Office, the only other app that may be currently used that supports this archaic API is mIRC. And my GEOCad system and my (META ) CASE System.

    • Security and Convenience are diametrically opposite.

      If you leave your home unlocked and ask the cable guy to just go in and "fix" it, you don't have to wait at home between 8 AM and 4PM. So would you?

      Everytime my banker calls me on phone to check a 10K wire transfer, I specifically thank him for security.

      When I filed my change of address, Vanguard locked my account withdrawals for seven days. I sent a mail thanking them.

      If there is someone to blame, blame Microsoft was making convenience more impor

      • Security and Convenience are diametrically opposite.

        If you leave your home unlocked and ask the cable guy to just go in and "fix" it, you don't have to wait at home between 8 AM and 4PM. So would you?

        Funny you mention it. We've often had contractors come in and the often work unattended. They are bonded, and we are repeat customers.

        Everytime my banker calls me on phone to check a 10K wire transfer, I specifically thank him for security.

        Yeah, and I have a setup where any time a charge over a certain amount is charged to my Credit card, it disables the account, and a human calls me to verify the purchase.It's quite cool But still.

        If there is someone to blame, blame Microsoft was making convenience more important than security, and for fostering a climate where that decision was considered better.

        You are arguing against yourself. Your credit card and bankers have come out with a way to work around security vulnerabilities. Using Microsoft's paradigm, instead of a call to ver

    • by Anonymous Coward

      I has this same feeling when they started pretending like NT4.0 never existed, "Security through loss of function."

    • Security through loss of function

      A long depreciation window combined with a functionally compatible and far superior alternative is not considered a "loss of function".

      I guess you're also upset that you can no longer run 8 bit code on your 64 bit PC? Oh what a calamity!

      • Is there any functionality that is even lost here? I would honestly be surprised if more than 5 people in the entire world are affected by this.
      • I can run DOS programs through DOSBOX on my 64-bit PC and am still annoyed that emulation in general isn't transparent or that the sum total of all knowledge isn't completely available to me.
    • by Anonymous Coward

      True - ideally, MS should have been patching in a deprecation warning into Word years ago -- or, maintain a list of deprecated features.in the help menu and online.

      There is one specific use-case of DDE that I believe MS Word does still use - when you open a word doc from explorer and Word is already running, the second instance instead communicates with the first to get it to open the document instead of having a second instance.

      I don't know if this is still the case, or if people even care any more. Howev

    • If you work with DDE these days, you're a moron. OLE was introduced in 1990, and replaces DDE. Anyone ever using DDE should now be well retired. The fact that they actually use DDE is proof they really needs to be retired. Voluntarily or not.
      • If you work with DDE these days, you're a moron.

        Never have - never will. But some folks do, and last time I checked, there was no law against being a moran

        OLE was introduced in 1990, and replaces DDE. Anyone ever using DDE should now be well retired. The fact that they actually use DDE is proof they really needs to be retired. Voluntarily or not.

        If no one is using it, there is no need to retire it. If peopel are using it, you fix it. A concept that is based on not pissing people off. It isn't like this is the first security fla in Office, so perhaps any one or group that works with MS Office is a moron?

        • But some folks do, and last time I checked, there was no law against being a moran

          If you work professionally with DDE when Microsoft has been telling you for decades (yes, decades) to stop, then you should be summarily fired from your job as being entirely unqualified for it.

          there is no need to retire it.

          That's the point. There is a strong need to retire it. It's unsafe.

          perhaps any one or group that works with MS Office is a moron?

          I have written a few applications and app integrations with MS Office over

  • by Anonymous Coward

    This bug still? I was hit with this attack back in 2008, it encrypted my MSWord interface to this weird long list of unusable modal icons, rendering my Office suite unusable.

    I had to switch to LibreOffice to fix it.

    I'm shocked that this is still happening in 2017 nearly a decade later!

  • Word 2007 (Score:5, Interesting)

    by DrStrangluv ( 1923412 ) on Monday December 18, 2017 @09:37AM (#55760731)
    What makes this patch especially interesting is they also released it for Word 2007, which otherwise would be end of life and excluded from updates.
    • by Anonymous Coward
      Yes. This speaks volumes about the huge issue the DDE attack vector is right now. Literally almost all spam is using it right now. This and the Equation Editor attack.
    • Of course. Many of their corporate clients still use 2007.

  • Newer? (Score:5, Interesting)

    by Dan East ( 318230 ) on Monday December 18, 2017 @10:02AM (#55760913) Journal

    newer Object Linking and Embedding (OLE) toolkit

    OLE 1.0, released in 1990, was an evolution of the original Dynamic Data Exchange (DDE) concept

    Boy, that's reassuring that OLE is so much newer than DDE. Why the heck is something like DDE still existing in their products when it was superseded by something 27 years ago?

    • by Anonymous Coward

      A few months ago, I was implementing a process control system that we wanted to conditionally write logs directly to a database. The documentation gave very simple instructions about how to do this with DDE.

      Except that the DDE channel had been removed last year, and instead of a simple two-program system with free components, the OLE version took 4 proprietary programs.

      That was my first foray into sorting through DDE or OLE, and while it may not be typical, my conclusion is that OLE is a complete failure a

    • OLE and DDE certainly serve the same purpose, but OLE is Microsoft's implementation of CORBA, which has been around since the 1980s. So far as I understand it, at least in theory, OLE is supposed to interact with other CORBA implementations.

      • Re:Newer? (Score:4, Informative)

        by angel'o'sphere ( 80593 ) on Monday December 18, 2017 @04:33PM (#55764419) Journal

        No, OLE is the attempt of reinventing the Apple "OLE" which they had years before, but then dropped it as it is pointless.
        CORBA is something completely different and has nothing to do with OLE at all. CORBA is an object oriented RPC (remote procedure call) "specification". It basically only works inside of the same "Server" (ORB = object request broker) family (same vendor, not even same OS is enough).
        It got soon extended by the IIOP, internet inter ORB protocol, which made it possible that ORBs of different vendors could interact with each other.
        While there are similarities, they have not much in common. In CORBA e.g. you have platform neutral specification languages (IDL, interface description languages) that make it possible to generate communication skeletons and "dumb data objects" to talk to any ORB. And then fill out the logic you need.
        An ORB is basically a fancy "REST Server" ... or "SOAP", does not matter, means: A server application.
        In other words: the data you manipulate is somewhere else. On the server.

        With OLE every single Application on your Windows PC can be its own small server, able to handle requests to manipulate objects that are actually "embedded" into other programs.

        You basically tell a remote (but still on the same machine) progam to manipulate your local data. OLE is basically CORBA reversed. Instead of calling business logic on the server, the other side manipulates the data in the client. (And there is no IDL/specification language, but you have to implement all the hooks the other side needs to manipulate your data)

        P.S.
        Similar to CORBA *and* OLE is MS COM and DCOM inspired by DECs was DCE, Distributed Computing Environment.
        Or as a summary:
        * CORBA is supposed to be used in a LAN/WAN and with IIOP over the internet, OLE is supposed to be used on the same machine, but it is possible to use OLE Servers (as in remote)
        However, why anyone would use OLE for remote stuff when we have CORBA, SOAP and REST is beyond me.
        * the CORBA server is called by clients, letting the server do something for them on the server
        * OLE asks the server to do something inside of your own address space, you basically embed (hence the E in OLE) a part of the server into your own application, it is basically a super fancy DLL(dynamic link library)

    • That is actually a silly if not even dumb question.

      I have a CAD system that is used for GEO informations, plans for buildings etc.

      It can talk to Excel via DDE. Tell excel to open a "template file", save it as "today-${project}-earth-to-move.xls" and then the CAD system will pipe in the data to calculate the amount of earth to dig out and how many trucks you need to carry it away.

      I got payed for that 20 years ago.

      If Excel breaks DDE "communication" all my customers from over 25 years ago have to find one to

  • "disables DDE only in Word, but not Excel or Outlook"

    News from next week - cybercriminals switch to using malicious Excel sheets instead of Word documents in their malware spam.

    Seriously, what are they thinking here?

  • in the long tradition of long reaching poor ideas like VBA (which had to be disabled in IE for security issues which finally happened in IE7), IIS with insecure settings on be default (for convenience), now comes DDE. Things that had to be changed or disabled because of things anyone thinking it through would realize, is a bad idea. Of course Windows defender is a bit of a joke in the security world as well. The fact the update was done for Word 2007 probably means this vulnerability was so bad they includ
  • by Anonymous Coward


    DDE did a job on me
    Now my desktop's a real sickie
    Guess I have to break the news
    Now I've got no files to lose
    Code Red caused a trichotomy
    My PC is a lobotomy!
    Lobotomy!
    Lobotomy!

    - from "Teenage Lobotomy" (Ramones)

  • by Dwedit ( 232252 )

    DDE was already obsolete by the time Windows 98 came out, and should have been removed then.

    • I know this will come as a shock to you, but there are users out there who like their applications to keep on working when their OS is "upgraded".

"For a male and female to live continuously together is... biologically speaking, an extremely unnatural condition." -- Robert Briffault

Working...