Microsoft Disables Word DDE Feature To Prevent Further Malware Attacks

An anonymous reader writes: As part of the December 2017 Patch Tuesday, Microsoft has shipped an Office update that disables the DDE feature in Word applications, after several malware campaigns have abused this feature to install malware. DDE stands for Dynamic Data Exchange, and this is an Office feature that allows an Office application to load data from other Office applications. For example, a Word file can update a table by pulling data from an Excel file every time the Word file is opened. DDE is an old feature, which Microsoft has superseded via the newer Object Linking and Embedding (OLE) toolkit, but DDE is still supported by Office applications.

The December Patch Tuesday disables DDE only in Word, but not Excel or Outlook. The reason is that several cybercrime and spam groups have jumped on this technique, which is much more effective at running malicious code when compared to macros or OLE objects, as it requires minimal interaction with a UI popup that many users do not associate with malware. For Outlook and Excel, Microsoft has published instructions on how users can disable DDE on their own, if they don't want this feature enabled.

Word 2007

[DrStrangluv]

What makes this patch especially interesting is they also released it for Word 2007, which otherwise would be end of life and excluded from updates.

Re:It's a forced upgrade

[Opportunist]

OLE is about 25 years old. If you have to update your software because it's not able to do OLE, it's about fucking time!

Newer?

[Dan+East]

newer Object Linking and Embedding (OLE) toolkit

OLE 1.0, released in 1990, was an evolution of the original Dynamic Data Exchange (DDE) concept

Boy, that's reassuring that OLE is so much newer than DDE. Why the heck is something like DDE still existing in their products when it was superseded by something 27 years ago?