Despite a rash of attacks leveraging Dynamic Data Exchange fields in Office, including some spreading destructive ransomware, Microsoft has remained insistent that DDE is a product feature and won’t address it as a vulnerability.
Microsoft on Wednesday did, however, put some guidance in admins’ hands as to how to safely disable the feature via new registry settings for Office. Each one comes with a caveat that data between applications will no longer update automatically; this is something that would impact Excel users in particular who rely this live feed of data to keep spreadsheets automatically updated.
DDE is a protocol that establishes how apps send messages and share data through shared memory, Microsoft said.
Attackers that have found great success in the past 18 months with macro-based malware have re-invigorated their interest in using DDE to launch droppers, exploits and malware.
“In an email attack scenario, an attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email,” Microsoft said. “The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts. As email attachments are a primary method an attacker could use to spread malware, Microsoft strongly recommends that customers exercise caution when opening suspicious file attachments.”
Attacks leveraging macro malware weren’t finding much of an impediment in tricking users into enabling macros—which are off by default in Office—with clever social engineering through subject lines and attachments related to day-to-day business operations such as shipping notifications and invoices.
In Microsoft’s advisory published yesterday, it recommended enabling security-related feature control keys for Office 2016 and 2013 that will disable the automatic update of data from linked fields.
In Excel, Microsoft provided instructions on how to disable DDE via the registry editor or the user interface.
“Disabling this feature could prevent Excel spreadsheets from updating dynamically if disabled in the registry,” Microsoft said. “Data might not be completely up-to-date because it is no longer being updated automatically via live feed. To update the worksheet, the user must start the feed manually. In addition, the user will not receive prompts to remind them to manually update the worksheet.”
For Outlook, setting the respective registry key will disable DDE updates as well as OLE links, the modern replacement for DDE. In Publisher, Microsoft recommends setting the same registry key for Word that will also disable both DDE and OLE.
In the Windows 10 Fall Creator Update, Microsoft recommends using Windows Defender Exploit Guard to block DDE malware, specifically with its Attack Surface Reduction component that blocks behaviors exhibited by these malicious documents. Microsoft says ASR will block Office apps from creating executable content, launching child processes and injecting into processes. It will also block macro code and block Win32 imports from macro code.
DDE-based attacks surfaced in mid-October when SensePost published a proof-of-concept attack demonstrating how an attacker would use DDE to run code on a machine. The company said it privately disclosed its research in August, and Microsoft responded in late September that DDE was a feature and that no further action would be taken.
A week later, the SANS Internet Storm Center reported an increase in traffic from the Necurs botnet that was spreading Locky ransomware using the DDE attack. A spam campaign was opting for the DDE technique in Word document attachments rather than macros, which had been for some time the preferred means of downloading malware from a remote server.
Attacks using DDE are also likely to bypass antimalware and intrusion prevention scanners given that it’s likely a whitelisted feature.
“Apparently, DDE and macros are both legitimate features in Microsoft Office. Both have been used in malware attacks. In both cases, Office documents from malicious spam provide warnings to let a victim know what’s going on. To fix the issue, you’d have to remove the DDE entirely,” said SANS ISC handler Brad Duncan in an interview with Threatpost last month. “If DDE is a functionality, then yes, I agree with Microsoft’s statement that it won’t be patched. However, many articles about DDE state it’s been superseded by OLE functionality. If so, why doesn’t Microsoft get rid of DDE entirely? Are there any legitimate DDE cases that require Microsoft to retain this backwards compatibility?”