Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Word’s DDEAUTO field considered harmful

    Home Forums AskWoody blog Word’s DDEAUTO field considered harmful

    Tagged: 

    This topic contains 12 replies, has 6 voices, and was last updated by  MrBrian 23 hours, 57 minutes ago.

    • Author
      Posts
    • #136290 Reply

      woody
      Da Boss

      Wow. This one goes all the way back to Hacker’s Guide to Word for Windows — which was published in 1994. Etienne Stalmans and Saif El-Sherei at Sense
      [See the full post at: Word’s DDEAUTO field considered harmful]

      1 user thanked author for this post.
    • #136311 Reply

      Pepsiboy
      AskWoody Lounger

      Another case of HISTORY REPEATING ITSELF ! ! !

    • #136323 Reply

      Noel Carboni
      AskWoody MVP

      They gloss over a key decision point that would certainly raise MY suspicions. If I received a warning like the following on a document received from elsewhere, or even just viewing an eMail you’d better believe I’d choose [ No ]!

      Linked

      or

      UpdateFields

      They dismiss the above as “nothing malicious”, while I most certainly would not. However, I will concede that folks in, say, a corporate environment in which documents that emit such messages are regularly passed around could be fooled.

      The worrisome part is that Microsoft, having been informed, might now hobble some key functionality of older versions of Office so that this “threat” will be removed. What do WE end up with? Software that works worse – and which if designed originally that way might never have been suitable for use or purchase.

      It bothers me that there is much that is implied but unsaid in discussions about security. There should always be a discussion on whose responsibility it is to maintain security. It’s a bit like having a discussion about power tools and claiming a cordless drill is a threat to everyone because you could accidentally drill a hole in your hand, then demanding the manufacturer to change it so that it can’t do so. The assumption is that everyone using a power drill is ignorant, and that the manufacturer must put some kind of guard on it that doesn’t get in the way of actual work, but protects ignorant users’ hands – while such a design may not be feasible or even possible. Then, who could ever complain about it when it’s so much more secure?

      In this case Microsoft HAS included warnings that would block this infection, but because it suits the writers who want to fill their space with important-looking info, it’s considered “not enough”. How much is enough?

      Notably Microsoft responded appropriately, I think:

      26/09/2017 – Microsoft responded that as suggested it is a feature and no further action will be taken, and will be considered for a next-version candidate bug.

      -Noel

      Attachments:
      You must be logged in to view attached files.
      2 users thanked author for this post.
    • #136343 Reply

      Bill C.
      AskWoody Lounger

      >>> The worrisome part is that Microsoft, having been informed, might now hobble some key functionality of older versions of Office so that this “threat” will be removed. What do WE end up with? Software that works worse – and which if designed originally that way might never have been suitable for use or purchase. <<<

      Yep, just as they have made Outlook 2010 on a personal PC almost worthless to receive any kind of mailing from businesses or news organizations, and I do not mean ads.  Tons of blank photo placeholders.

    • #136422 Reply

      MrBrian
      AskWoody MVP
    • #138158 Reply

      MrBrian
      AskWoody MVP

      From https://twitter.com/GossiTheDog/status/919945210746081282: “While InfoSec is busy worrying about an academic threat around Wi-Fi, Word DDE (no patch) is being used for ransomware and trojans right now”

      1 user thanked author for this post.
    • #138235 Reply

      MrBrian
      AskWoody MVP

      From https://www.securityforrealpeople.com/2017/10/exploiting-office-native-functionality.html:

      ‘One final note: after I published this article, fellow Austin security pro Brian Boettcher mentioned a very simple trick to stop this exploit dead in its tracks: disabling the “update automatic links at open” option in Word.’

      2 users thanked author for this post.
      • #138263 Reply

        Bob99
        AskWoody Lounger

        From https://www.securityforrealpeople.com/2017/10/exploiting-office-native-functionality.html: ‘One final note: after I published this article, fellow Austin security pro Brian Boettcher mentioned a very simple trick to stop this exploit dead in its tracks: disabling the “update automatic links at open” option in Word.’

        And for those wanting to know just how to do what Brian is talking about above, go into Word’s Options menu and choose the “Advanced” options. Now, scroll ALL the way down to the heading labeled “General” on the right side of the window. Under there, you should find the check box labeled exactly as described by Brian above! Click the box to remove the check mark that’s probably in it by default, then click the OK button at the bottom of the window and you’re done!

        3 users thanked author for this post.
    • #138314 Reply

      MrBrian
      AskWoody MVP

      From https://twitter.com/ryHanson/status/918598525792935936: “The well known Excel DDE vector can also be manipulated, here is the formula […]”

    • #138315 Reply

      MrBrian
      AskWoody MVP

      There are ways to avoid opening a file from the Internet in Protected View: https://enigma0x3.net/2017/07/13/phishing-against-protected-view/. Example video: https://twitter.com/enigma0x3/status/918636157461770240.

      • This reply was modified 5 days, 21 hours ago by  MrBrian.
    • #138328 Reply

      MrBrian
      AskWoody MVP

      From Hancitor malspam uses DDE attack: “Malicious spam (malspam) pushing Hancitor malware (also known as Chanitor or Tordal) changed tactics on Monday 2017-10-16.  Instead of pushing Microsoft Word documents with malicious macros, this malspam began pushing Word documents taking advantage of Microsoft’s Dynamic Data Exchange (DDE) technique.”

    • #138898 Reply

      MrBrian
      AskWoody MVP

      From https://twitter.com/GossiTheDog/status/920635876375449600: “Remember the Word DDE issue found by @sensepost? Copy the DDE from Word into Outlook, then email it to somebody.. No attachment -> calc.”

      From https://twitter.com/5ecur1tySi/status/920984536774840320: “The following .reg file should prevent the loading of DDE in Outlook 2016.”

    • #139802 Reply

      MrBrian
      AskWoody MVP

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Word’s DDEAUTO field considered harmful

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.