Microsoft Word slams the door on DDEAUTO malware attacks

Remember the DDEAUTO vulnerability?

DDEAUTO, short for automatic dynamic data exchange, is a command you can put right inside the data of an Office file to get it to pull data out of another file.

According to Microsoft’s official documentation, DDEAUTO is only supposed to work within the same app, or between two apps that are already active:

DDEAUTO argument-1 argument-2 [argument-3] [switches]

[. . .]

Description: For information copied from another application, 
this field links that information to its original source file 
using DDE and is updated automatically. 

The application name shall be specified in argument-1; 
this application must be running. 

For example, you could have a Word report that pulled in the latest sales figures “live” from an Excel spreadsheet, provided you had both Word and Excel open already.

But researchers found that there was an undocumented feature in the DDEAUTO function whereby it could start any application already installed on your computer, such as the command shell CMD.EXE.

Having fired up this second program, the DDEAUTO function could be used to run a script specified inside the DDEAUTO command itself, instead of reading data from an existing file, as intended.

In other words, a crook could embed malware, in the form of a Powershell or other script, right in the data of a Word document or an Excel spreadsheet, and just opening the file would launch the malware command – without waiting for you to open an attachment, download a file or enable Word macros.

In short, remote code execution, or RCE.

Fortunately, you’d get two DDE warnings before the malicious script would run, but they weren’t warnings that anyone had previously learned to associate with malware.

First, this:

Followed by something along these lines:

Microsoft demurred over fixing this bug, describing it as a by-design feature – which it was, except for failing to enforce the restriction stated in the Microsoft Developer Network (MSDN) documentation, namely that “[the other] application must [already] be running”.

Cybercrooks quickly learned to exploit DDEAUTO as yet another route for introducing malware – one that few users were trained to look out for and avoid.

Sophos products block DDE attacks under the following names:

  • CXmail/OffDDE-*: emailed attachments and booby-trapped messages.
  • Troj/RtfDDE-*: booby-trapped RTF files.
  • Troj/DocDl-DJV: DDE attacks that try to download additional malware.

Change of heart

The good news is that Microsoft seems to have had a change of heart, at least in part.

I didn’t notice the details until now – as a macOS user, I get away without needing either Windows or Office in daily life! – but it turns out that downloads published in the December 2017 Update Tuesday included ADV170021, a so-called Microsoft Office Defense in Depth Update:

Microsoft has released an update for Microsoft Office that provides enhanced security as a defense-in-depth measure. The update disables the Dynamic Update Exchange protocol (DDE) in all supported editions of Microsoft Word.

Unfortunately, this isn’t a complete patch against your DDEAUTO problems, because it’s specific to the Word app, rather than generic to all the apps in the Office suite.

If you want to block DDEAUTO in other Office apps you will need to follow the app-specific registry hacks detailed in the Microsoft Office Security Advisory 4053440.

Nevertheless, this ADV170021 patch is a welcome change that introduces the following registry entry for Word:

HKEY_CURRENT_USER\Software\Microsoft\Office\<version#>\Word\Security\AllowDDE = 0

The default value, as indicated above, is zero, meaning that DDE is turned off altogether.

If that doesn’t work for you, you can revert to the old, insecure behaviour by setting AllowDDE = 2, allowing all DDEAUTO commands issued from inside Word.

For a middle ground, AllowDDE = 1 sets the as-originally-documented behaviour, so that DDEAUTO is allowed, but only between apps that are already running.

That means you can still hook your Word documents up to Excel spreadsheets for financial and similar data, but crooks can’t send in documents from outside to trick Word into running dangerous external programs such as CMD.EXE and PowerShell.