• Word’s DDEAUTO field considered harmful

    Home » Forums » Newsletter and Homepage topics » Word’s DDEAUTO field considered harmful

    Tags:

    Author
    Topic
    #136290

    Wow. This one goes all the way back to Hacker’s Guide to Word for Windows — which was published in 1994. Etienne Stalmans and Saif El-Sherei at Sense
    [See the full post at: Word’s DDEAUTO field considered harmful]

    1 user thanked author for this post.
    Viewing 10 reply threads
    Author
    Replies
    • #136311

      Another case of HISTORY REPEATING ITSELF ! ! !

    • #136323

      They gloss over a key decision point that would certainly raise MY suspicions. If I received a warning like the following on a document received from elsewhere, or even just viewing an eMail you’d better believe I’d choose [ No ]!

      Linked

      or

      UpdateFields

      They dismiss the above as “nothing malicious”, while I most certainly would not. However, I will concede that folks in, say, a corporate environment in which documents that emit such messages are regularly passed around could be fooled.

      The worrisome part is that Microsoft, having been informed, might now hobble some key functionality of older versions of Office so that this “threat” will be removed. What do WE end up with? Software that works worse – and which if designed originally that way might never have been suitable for use or purchase.

      It bothers me that there is much that is implied but unsaid in discussions about security. There should always be a discussion on whose responsibility it is to maintain security. It’s a bit like having a discussion about power tools and claiming a cordless drill is a threat to everyone because you could accidentally drill a hole in your hand, then demanding the manufacturer to change it so that it can’t do so. The assumption is that everyone using a power drill is ignorant, and that the manufacturer must put some kind of guard on it that doesn’t get in the way of actual work, but protects ignorant users’ hands – while such a design may not be feasible or even possible. Then, who could ever complain about it when it’s so much more secure?

      In this case Microsoft HAS included warnings that would block this infection, but because it suits the writers who want to fill their space with important-looking info, it’s considered “not enough”. How much is enough?

      Notably Microsoft responded appropriately, I think:

      26/09/2017 – Microsoft responded that as suggested it is a feature and no further action will be taken, and will be considered for a next-version candidate bug.

      -Noel

      2 users thanked author for this post.
    • #136343

      >>> The worrisome part is that Microsoft, having been informed, might now hobble some key functionality of older versions of Office so that this “threat” will be removed. What do WE end up with? Software that works worse – and which if designed originally that way might never have been suitable for use or purchase. <<<

      Yep, just as they have made Outlook 2010 on a personal PC almost worthless to receive any kind of mailing from businesses or news organizations, and I do not mean ads.  Tons of blank photo placeholders.

    • #136422
    • #138158

      From https://twitter.com/GossiTheDog/status/919945210746081282: “While InfoSec is busy worrying about an academic threat around Wi-Fi, Word DDE (no patch) is being used for ransomware and trojans right now”

      1 user thanked author for this post.
    • #138235

      From https://www.securityforrealpeople.com/2017/10/exploiting-office-native-functionality.html:

      ‘One final note: after I published this article, fellow Austin security pro Brian Boettcher mentioned a very simple trick to stop this exploit dead in its tracks: disabling the “update automatic links at open” option in Word.’

      2 users thanked author for this post.
      • #138263

        From https://www.securityforrealpeople.com/2017/10/exploiting-office-native-functionality.html: ‘One final note: after I published this article, fellow Austin security pro Brian Boettcher mentioned a very simple trick to stop this exploit dead in its tracks: disabling the “update automatic links at open” option in Word.’

        And for those wanting to know just how to do what Brian is talking about above, go into Word’s Options menu and choose the “Advanced” options. Now, scroll ALL the way down to the heading labeled “General” on the right side of the window. Under there, you should find the check box labeled exactly as described by Brian above! Click the box to remove the check mark that’s probably in it by default, then click the OK button at the bottom of the window and you’re done!

        3 users thanked author for this post.
    • #138314

      From https://twitter.com/ryHanson/status/918598525792935936: “The well known Excel DDE vector can also be manipulated, here is the formula […]”

    • #138315

      There are ways to avoid opening a file from the Internet in Protected View: https://enigma0x3.net/2017/07/13/phishing-against-protected-view/. Example video: https://twitter.com/enigma0x3/status/918636157461770240.

    • #138328

      From Hancitor malspam uses DDE attack: “Malicious spam (malspam) pushing Hancitor malware (also known as Chanitor or Tordal) changed tactics on Monday 2017-10-16.  Instead of pushing Microsoft Word documents with malicious macros, this malspam began pushing Word documents taking advantage of Microsoft’s Dynamic Data Exchange (DDE) technique.”

    • #138898

      From https://twitter.com/GossiTheDog/status/920635876375449600: “Remember the Word DDE issue found by @sensepost? Copy the DDE from Word into Outlook, then email it to somebody.. No attachment -> calc.”

      From https://twitter.com/5ecur1tySi/status/920984536774840320: “The following .reg file should prevent the loading of DDE in Outlook 2016.”

    • #139802
    Viewing 10 reply threads
    Reply To: Word’s DDEAUTO field considered harmful

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: