Microsoft Disables Word DDE Feature To Prevent Further Malware Attacks (bleepingcomputer.com) 103
An anonymous reader writes: As part of the December 2017 Patch Tuesday, Microsoft has shipped an Office update that disables the DDE feature in Word applications, after several malware campaigns have abused this feature to install malware. DDE stands for Dynamic Data Exchange, and this is an Office feature that allows an Office application to load data from other Office applications. For example, a Word file can update a table by pulling data from an Excel file every time the Word file is opened. DDE is an old feature, which Microsoft has superseded via the newer Object Linking and Embedding (OLE) toolkit, but DDE is still supported by Office applications.
The December Patch Tuesday disables DDE only in Word, but not Excel or Outlook. The reason is that several cybercrime and spam groups have jumped on this technique, which is much more effective at running malicious code when compared to macros or OLE objects, as it requires minimal interaction with a UI popup that many users do not associate with malware. For Outlook and Excel, Microsoft has published instructions on how users can disable DDE on their own, if they don't want this feature enabled.
The December Patch Tuesday disables DDE only in Word, but not Excel or Outlook. The reason is that several cybercrime and spam groups have jumped on this technique, which is much more effective at running malicious code when compared to macros or OLE objects, as it requires minimal interaction with a UI popup that many users do not associate with malware. For Outlook and Excel, Microsoft has published instructions on how users can disable DDE on their own, if they don't want this feature enabled.
All well and good (Score:5, Insightful)
Re: (Score:3, Interesting)
OLE is about 25 years old. If you have to update your software because it's not able to do OLE, it's about fucking time!
Re: (Score:2)
That does not mean someone did not create new software using a document supported feature of the product just last week.
Re: (Score:2)
Then that someone is incompetent and deserves all that is coming.
By your logic, nothing could ever get phased out, no matter how bad it is.
Re: (Score:2)
I honestly can't think of anyone still using DDE for anything. Compared to OLE it's clumsy and very, very badly supported. You'll have more comfort writing Windows GUI applications in C++ with Visual Studio than using DDE.
Re: (Score:3)
I honestly can't think of anyone still using DDE for anything. Compared to OLE it's clumsy and very, very badly supported. You'll have more comfort writing Windows GUI applications in C++ with Visual Studio than using DDE.
Actually, a lot of Office links still use DDE.
Re: (Score:3)
"Actually, a lot of Office links still use DDE."
Not anymore apparently.
Re: (Score:2)
Remember, they only disabled it for Word.
It still works in Excel and Outlook.
It'll probably be stripped completely out of Office 2018 though.
Re: (Score:1)
Re: (Score:2)
So am I. I refuse to touch the atrocity that is C# for as long as I possibly can.
But it gets harder and harder with every incarnation of Visual Studio.
Re: (Score:2)
And how do you pump data into "You'll have more comfort writing Windows GUI applications in C++" if not via DDE?
I guess you don't really know what DDE is and how it works.
Re: (Score:2)
Please don't tell me you use anything coming from MS Office as a trusted data source.
That's for managers so they can play with something and don't get in the way of working people.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
OLE is not DDE ... and I doubt people use any of those two things often, if at all.
Re: (Score:2)
Re: (Score:2)
The problem is, it is broke.
Re: (Score:2)
Re: (Score:2)
Microsoft has superseded via the newer Object Linking and Embedding (OLE)
By breaking backwards compatibility, everyone else has to have to pony up for a newer version of Word to view your documents.
Imagine that.
Microsoft Office is well known for being incompatible with itself.
Re: (Score:2)
Re: (Score:2)
DDE was deprecated with win32.
Source please. Perhaps you are thinking of NetDDE?
Plain DDE may have been deprecated for use with the office programs, but it worked just fine for other things. I have made win32 programs that used DDE for (local) communication. Compared to the alternatives (tcp-over-loopback, shared memory+shared-mutexes, named-pipes) it works fine.
Re: (Score:2)
Re: (Score:2)
Fair enough. I seem to recall that microsoft was trying to get people to use OLE for embedded objects. For such uses OLE is definitely more appropriate than DDE.
Re: (Score:3)
OLE and DDE are completely different things.
In OLE e.g. a program enables you to "copy/paste" a part of an Excel Spread Sheet into your Application. That will be an "Excel Object that is Embedded into your document and Links to Excel so that Excel will recalculate that fragment when you change data"
DDE (dynamic data exchange) is a simple thing where you register a named server, that can be looked up, and you simply pipe strings or read strings from it. It is a fancy name for a local registry that is basical
Re: (Score:3)
Re: (Score:2)
You can turn it back on with a registry key.
So what does it take to turn it on?
Or in other words, can a bad actor sneakily turn it back on for you?
Re: (Score:2)
You can turn it back on with a registry key.
So what does it take to turn it on?
Or in other words, can a bad actor sneakily turn it back on for you?
If a bad actor can edit the registry then they don't need to turn on DDE, they already have plenty of access to your device.
Re: (Score:2)
Like the parent post said, access to the registry. If an attacker has access to your Windows Registry, you're already screwed. He doesn't need to stage an attack through Word DDE; he already has everything.
Re: (Score:3)
Re: (Score:2)
DDE is Windows 3 tech that was deprecated when 32bit Windows came around (due to OLE/ActiveX). It was a *terrible* cross library/process communication mechanism, which no one has used in over two decades, except when left in for "Legacy compatibility". Outside of Office, the only other app that may be currently used that supports this archaic API is mIRC.
You are thinking specific, I'm talking about the generality of Microsoft disabling things that some users use. Apple does this too - I'm dealing with fallout of High Sierra turning thumbdrive encryption into a clusterfsck. When you have to keep finding new solutions to old challenges, it gets old real fast.
Re: (Score:1)
Frankly anyone with any good sense should have been avoiding DDE for 20 years. The reality is that Microsoft should have killed it in the late 90s. Even without considering the security implications, it's a goddamned awkward data exchange protocol compared to OLE. The fact that Microsoft maintained this antiquated protocol really is the problem.
Re: (Score:2)
Re: (Score:2)
If you are using something originally coded for Windows 2.0 and OS/2 [wikipedia.org] it might be time to actually upgrade to something newer, like say this century?
Note I heve never used DDE. But I can assure people there are cost center IT departments that are not happy right now.
Re: (Score:2)
It is actually not terrible. It is super simple. More or less a socket.
Outside of Office, the only other app that may be currently used that supports this archaic API is mIRC. And my GEOCad system and my (META ) CASE System.
Re: (Score:2)
If you leave your home unlocked and ask the cable guy to just go in and "fix" it, you don't have to wait at home between 8 AM and 4PM. So would you?
Everytime my banker calls me on phone to check a 10K wire transfer, I specifically thank him for security.
When I filed my change of address, Vanguard locked my account withdrawals for seven days. I sent a mail thanking them.
If there is someone to blame, blame Microsoft was making convenience more impor
Re: (Score:2)
Security and Convenience are diametrically opposite.
If you leave your home unlocked and ask the cable guy to just go in and "fix" it, you don't have to wait at home between 8 AM and 4PM. So would you?
Funny you mention it. We've often had contractors come in and the often work unattended. They are bonded, and we are repeat customers.
Everytime my banker calls me on phone to check a 10K wire transfer, I specifically thank him for security.
Yeah, and I have a setup where any time a charge over a certain amount is charged to my Credit card, it disables the account, and a human calls me to verify the purchase.It's quite cool But still.
If there is someone to blame, blame Microsoft was making convenience more important than security, and for fostering a climate where that decision was considered better.
You are arguing against yourself. Your credit card and bankers have come out with a way to work around security vulnerabilities. Using Microsoft's paradigm, instead of a call to ver
Re: (Score:2)
Sweet. Where do you work?
In the ninth level of hell.
Amen! (Score:1)
I has this same feeling when they started pretending like NT4.0 never existed, "Security through loss of function."
Re: (Score:2)
Security through loss of function
A long depreciation window combined with a functionally compatible and far superior alternative is not considered a "loss of function".
I guess you're also upset that you can no longer run 8 bit code on your 64 bit PC? Oh what a calamity!
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
True - ideally, MS should have been patching in a deprecation warning into Word years ago -- or, maintain a list of deprecated features.in the help menu and online.
There is one specific use-case of DDE that I believe MS Word does still use - when you open a word doc from explorer and Word is already running, the second instance instead communicates with the first to get it to open the document instead of having a second instance.
I don't know if this is still the case, or if people even care any more. Howev
Re: (Score:2)
Re: (Score:2)
If you work with DDE these days, you're a moron.
Never have - never will. But some folks do, and last time I checked, there was no law against being a moran
OLE was introduced in 1990, and replaces DDE. Anyone ever using DDE should now be well retired. The fact that they actually use DDE is proof they really needs to be retired. Voluntarily or not.
If no one is using it, there is no need to retire it. If peopel are using it, you fix it. A concept that is based on not pissing people off. It isn't like this is the first security fla in Office, so perhaps any one or group that works with MS Office is a moron?
Re: (Score:2)
If you work professionally with DDE when Microsoft has been telling you for decades (yes, decades) to stop, then you should be summarily fired from your job as being entirely unqualified for it.
That's the point. There is a strong need to retire it. It's unsafe.
I have written a few applications and app integrations with MS Office over
Re: (Score:1)
I was hit with that malware attack (Score:1)
This bug still? I was hit with this attack back in 2008, it encrypted my MSWord interface to this weird long list of unusable modal icons, rendering my Office suite unusable.
I had to switch to LibreOffice to fix it.
I'm shocked that this is still happening in 2017 nearly a decade later!
Re: (Score:2)
Word 2007 (Score:5, Interesting)
Re: (Score:1)
Re: Word 2007 (Score:2)
Of course. Many of their corporate clients still use 2007.
Re: Word 2007 (Score:4, Insightful)
Frankly, 2007 was a UI downgrade from the very-complete 2003. Nothing like re-learning a GUI that you've been using for 20 years. Progress!
Re: (Score:2)
The folding is annoying, and the way different size screens show different versions of the toolbar (maybe that's the same thing?). I also don't like that they repeat the location of items in multiple places, or that they screwed with the shortcuts. But mostly, I just don't like that they threw their power users under the bus for the sake of the newbies... it shows what they think of us. I've made a concerted effort to remove myself from MS's tools as a result. No matter, our office still pays the ransom.
Re: (Score:2)
That release will forever be stained by Clippy, but otherwise I'd agree.
Re: (Score:2)
I was using 2000 SR3 until October 2016 until my Windows XP Pro SP3's HDD crashed. :(
Re: (Score:2)
Frankly, 2007 was a UI downgrade from the very-complete 2003. Nothing like re-learning a GUI that you've been using for 20 years. Progress!
Just because you had to learn something new doesn't make it a downgrade. I'm sorry someone moved your cheese, but the world is a better place for your loss.
Re: (Score:2)
I'm sorry, but having now used the ribbon for 6 or 7 years vs. having previously used the old menu systems for almost 20, I just haven't seen any productivity improvements - and in fact I still get irritated by weird ribbon behavior and differences between different systems with differently-shaped screens. I don't mind if someone "moves my cheese" for good reason, but "supporting touch screen" is not a good reason for a power user who never uses a MS tablet. At home I don't even bother installing MS Office
Re: (Score:2)
And add Autodesk to the list of horrendous interfaces - though at least you can still type the same commands you could in 1993.
Re: (Score:2)
Re: (Score:2)
And add Autodesk to the list of horrendous interfaces - though at least you can still type the same commands you could in 1993.
That is an interesting observation given the old command based system is one of the least user friendly ways of interacting with an application. There's no doubt for the expert it is a great benefit, but the world is built on experts alone.
Re: (Score:2)
When it comes to professional software, the world is indeed built by experts. If you think the command based system is user-unfriendly, your sole experience with drafting is some kind of intro course. Even then, the clicks get old fast. Autodesk got the balance right - the experts can still use the system that they've been using for decades, and the newbies can screw with the ribbon. In the case of AutoCAD, it's not like the menu system was ever very important - you mostly used it to set up your toolbars, a
Re: (Score:2)
I'm sorry, but having now used the ribbon for 6 or 7 years vs. having previously used the old menu systems for almost 20, I just haven't seen any productivity improvements
I have. The interesting thing is so have the millions of other people who more welcome context based options rather than menus of everything.
Greater good.
Re: (Score:2)
You are the first ribbon fan I've found in the wild. You could, of course work for MS or have some professional interest in the ribbon, but I'll give the benefit of the doubt and assume you are genuine. Everyone is different - and I won't begrudge your taste. I will ask how tossing away all of your 3-key shortcuts in favor of new 3-character+ shortcuts made you more productive? If you use a tablet or touch screen, I could understand. But the rest of us took the hit for what turned out to be a narrow use-cas
Re: (Score:2)
Re: (Score:2)
My 1024x768 monitor weeps for your 2003 problem.
Re: (Score:2)
A GUI that is not explorable and has everything you need at the wrong places and only works via buttons that "also have a right click mouse menu": is horrible.
In old GUI programs you simply moved with the mouse over menus and you knew what you can do and it was easy to figure how to do it ... FrameMaker comes to mind. Best "Word Processor" ever.
The MS ribbon nonsense requires formal training to be able to use the Office packages and Outlook. And don't get me started about Apples Pages and Numbers and don't
Re: (Score:2)
is not explorable
Every option available in the current context is explorable. On the flip side hiding those options in a list of unavailable and de-activated options is not user friendly.
has everything you need at the wrong places
Your "wrong places" is debatable. Personally I find it a great improvement in most of the office apps.
and only works via buttons
Except it doesn't.
The MS ribbon nonsense requires formal training to be able to use the Office packages and Outlook.
Only for people stuck in the early 90s who expect a menu with every option always available. For everyone else the ribbon is far more intuitive and easier to pick up.
Re: (Score:2)
Only for people stuck in the early 90s who expect a menu with every option always available.
Outlook is not defensible. You have two completely separate edit modes, with completely separate ribbons and options available to you depending on whether you "pop out" the message you are editing or not. There is absolutely no way to use all of the features available for messages without first hitting the pop out button - which is not even part of the ribbon. The ribbon was clearly shoe-horned onto that program, and whatever you think of the concept of the ribbon in general, it was not executed well in Out
Re: (Score:2)
Hahahaha
Save as
Print
Print Preview
On the wrong page. ...
The 'standard page for editing' has the wrong name
Sorry, the ribbon version of Office is completely unusable.
If you can work with it: fine for you...
Re: (Score:2)
There's no need to for that kind of language.
Re: (Score:3)
DDE was introduced in Windows 2.0 (in 1987), which also introduced such exciting features as overlapping windows. Computers that ran Windows 2.0 mostly didn't exchange files, but if they did it was most commonly on a 5.25" floppy disk or very occasionally via a serial link. The threat model for these machines largely related to someone breaking into your office and stealing them. Attacking this on most Windows 2.0 machines would have usually involved persuading a random person to accept a floppy disk and
Newer? (Score:5, Interesting)
newer Object Linking and Embedding (OLE) toolkit
OLE 1.0, released in 1990, was an evolution of the original Dynamic Data Exchange (DDE) concept
Boy, that's reassuring that OLE is so much newer than DDE. Why the heck is something like DDE still existing in their products when it was superseded by something 27 years ago?
Re: (Score:1)
A few months ago, I was implementing a process control system that we wanted to conditionally write logs directly to a database. The documentation gave very simple instructions about how to do this with DDE.
Except that the DDE channel had been removed last year, and instead of a simple two-program system with free components, the OLE version took 4 proprietary programs.
That was my first foray into sorting through DDE or OLE, and while it may not be typical, my conclusion is that OLE is a complete failure a
Re: (Score:1)
OLE and DDE certainly serve the same purpose, but OLE is Microsoft's implementation of CORBA, which has been around since the 1980s. So far as I understand it, at least in theory, OLE is supposed to interact with other CORBA implementations.
Re:Newer? (Score:4, Informative)
No, OLE is the attempt of reinventing the Apple "OLE" which they had years before, but then dropped it as it is pointless. ... or "SOAP", does not matter, means: A server application.
CORBA is something completely different and has nothing to do with OLE at all. CORBA is an object oriented RPC (remote procedure call) "specification". It basically only works inside of the same "Server" (ORB = object request broker) family (same vendor, not even same OS is enough).
It got soon extended by the IIOP, internet inter ORB protocol, which made it possible that ORBs of different vendors could interact with each other.
While there are similarities, they have not much in common. In CORBA e.g. you have platform neutral specification languages (IDL, interface description languages) that make it possible to generate communication skeletons and "dumb data objects" to talk to any ORB. And then fill out the logic you need.
An ORB is basically a fancy "REST Server"
In other words: the data you manipulate is somewhere else. On the server.
With OLE every single Application on your Windows PC can be its own small server, able to handle requests to manipulate objects that are actually "embedded" into other programs.
You basically tell a remote (but still on the same machine) progam to manipulate your local data. OLE is basically CORBA reversed. Instead of calling business logic on the server, the other side manipulates the data in the client. (And there is no IDL/specification language, but you have to implement all the hooks the other side needs to manipulate your data)
P.S.
Similar to CORBA *and* OLE is MS COM and DCOM inspired by DECs was DCE, Distributed Computing Environment.
Or as a summary:
* CORBA is supposed to be used in a LAN/WAN and with IIOP over the internet, OLE is supposed to be used on the same machine, but it is possible to use OLE Servers (as in remote)
However, why anyone would use OLE for remote stuff when we have CORBA, SOAP and REST is beyond me.
* the CORBA server is called by clients, letting the server do something for them on the server
* OLE asks the server to do something inside of your own address space, you basically embed (hence the E in OLE) a part of the server into your own application, it is basically a super fancy DLL(dynamic link library)
Re: (Score:2)
That is actually a silly if not even dumb question.
I have a CAD system that is used for GEO informations, plans for buildings etc.
It can talk to Excel via DDE. Tell excel to open a "template file", save it as "today-${project}-earth-to-move.xls" and then the CAD system will pipe in the data to calculate the amount of earth to dig out and how many trucks you need to carry it away.
I got payed for that 20 years ago.
If Excel breaks DDE "communication" all my customers from over 25 years ago have to find one to
Coming up next week.... (Score:2)
"disables DDE only in Word, but not Excel or Outlook"
News from next week - cybercriminals switch to using malicious Excel sheets instead of Word documents in their malware spam.
Seriously, what are they thinking here?
Microsoft does it again (Score:2)
Re: (Score:3)
Re: Microsoft does it again (Score:2)
Kind of a clever attack (Score:2)
Details here -
http://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html [talosintelligence.com]
Pop song reference (Score:1)
DDE did a job on me
Now my desktop's a real sickie
Guess I have to break the news
Now I've got no files to lose
Code Red caused a trichotomy
My PC is a lobotomy!
Lobotomy!
Lobotomy!
- from "Teenage Lobotomy" (Ramones)
Re: Pop song reference (Score:2)
DDE (Score:2)
DDE was already obsolete by the time Windows 98 came out, and should have been removed then.
Re: (Score:3)
I know this will come as a shock to you, but there are users out there who like their applications to keep on working when their OS is "upgraded".