Newsletter Archives

  • Microsoft releases a Security Advisory about the DDEAUTO fandango

    Posted on November 8, 2017 at 13:57 CST by Comment in the Forums

    I first wrote about the Word {DDEAUTO} field and its weird ways in “Hacker’s Guide to Word for Windows.” Yes, that was 23 years ago. {DDEAUTO} precedes Word macros, I do believe.

    Recently, some very smart folks have re-discovered the field and put it to nefarious purpose.

    @arekfurt has a great timeline.

    The speed of adoption of the DDE technique (roughly):

    -10/09: @sensepost blog post (re)discovering & validating technique
    -10/10: @GossiTheDog tweets about, fleshes out info on extensively
    -10/11: spotted in-the-wild (FIN7)
    -10/13: start of big surge in usage
    -10/25: Fancy Bear

    Those are all in 2017. The {DDEAUTO} field hasn’t changed a bit in two decades.

    Microsoft just released Security Advisory 4053440:

    Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields

    Microsoft is releasing this security advisory to provide information regarding security settings for Microsoft Office applications. This advisory provides guidance on what users can do to ensure that these applications are properly secured when processing Dynamic Data Exchange

    Deja vu, eh? Consider this post from Oct. 27:

    The big threat now is from that Wacky Wascal BadRabbit, which started with a fake Flash update on a Russian site and an ancient DDEAUTO field exploit in Word (and Excel and Outlook and OneNote) and is being used to carry Locky and other ransomware.

    The DDEAUTO exploit isn’t a bug, according to Microsoft, because you have to click through three warning dialogs before it’ll bite. (The first of which is “Enable Editing.” Sound familiar?)

    Disable DDEAUTO by following these steps from Martin Brinkmann at ghacks. Note that this is a rather draconian approach, with consequences for OneNote, Outlook and others described by Will Dormann. If you find that something breaks after you’ve clobbered DDEAUTO – most likely, an older document that no longer updates properly – you won’t have much choice but to turn DDEAUTO back on. While you’re at it, tattoo inside your eyelids: “Do NOT Enable Editing.”

    Anyway, if you (or your users) are prone to clicking on “Enable Editing,” it’d be worthwhile following the Security Advisory instructions or Martin Brinkmann’s steps to turn off DDEAUTO.

    Windows Patches/Security , ,

  • DDEAUTO vulnerability evolving

    Posted on October 22, 2017 at 14:29 CDT by Comment in the Forums

    Further to recent news on DDEAUTO vulnerability, this threat has, like all good malware, evolved.

    From nakedsecurity.sophos.com:

    On Friday, independent reports surfaced showing that it’s possible to run DDE attacks in Outlook using emails and calendar invites formatted using Microsoft Outlook Rich Text Format (RTF), not just by sending Office files attached to emails.

    In the original attack users had to be coaxed into opening malicious attachments. By putting the code into the email message body itself, the attack comes one step closer, meaning that the social engineering needed to talk a recipient into falling for it becomes easier.

    The good news is that whether a DDE attack comes via an attachment or directly in an email or a calendar invite, you can stop the attack easily:
    Just say no

    You can read their article here

    AdminITs might like to check out the Microsoft blog on ASR (Attack Surface Reduction), which is said to mitigate the risks – linked in the AdminIT Lounge topic “Enable Attack Surface Reduction in Win10-1709“.

    Office Patches/Security, Windows Patches/Security , ,

  • Word’s DDEAUTO field considered harmful

    Posted on October 10, 2017 at 07:31 CDT by Comment in the Forums

    Wow. This one goes all the way back to Hacker’s Guide to Word for Windows — which was published in 1994.

    Etienne Stalmans and Saif El-Sherei at Sensepost have publicized the {DDEAUTO} field’s unruly behavior. What they say is true — if you open a Word doc that contains a {DDEAUTO} field, and you click through the warnings, arbitrary code can be executed. That’s as it was designed.

    They miss one important point, though. If you open a DOCX that comes from the internet, at least with a bone-stock Word installation, you have to click the “Enable Editing” button before you see the other two warning dialogs.

    Everything old is new again….

    Office Patches/Security
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    May 2025
    S M T W T F S
     123
    45678910
    11121314151617
    18192021222324
    25262728293031

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.