Microsoft Disables Word DDE Feature To Prevent Further Malware Attacks

An anonymous reader writes: As part of the December 2017 Patch Tuesday, Microsoft has shipped an Office update that disables the DDE feature in Word applications, after several malware campaigns have abused this feature to install malware. DDE stands for Dynamic Data Exchange, and this is an Office feature that allows an Office application to load data from other Office applications. For example, a Word file can update a table by pulling data from an Excel file every time the Word file is opened. DDE is an old feature, which Microsoft has superseded via the newer Object Linking and Embedding (OLE) toolkit, but DDE is still supported by Office applications.

The December Patch Tuesday disables DDE only in Word, but not Excel or Outlook. The reason is that several cybercrime and spam groups have jumped on this technique, which is much more effective at running malicious code when compared to macros or OLE objects, as it requires minimal interaction with a UI popup that many users do not associate with malware. For Outlook and Excel, Microsoft has published instructions on how users can disable DDE on their own, if they don't want this feature enabled.

All well and good

[Ol+Olsoc]

But its a bloody nuisance when you work with something, then it suddenly goes away. Security through loss of function.

Re:All well and good

[DrStrangluv]

You can turn it back on with a registry key.

Re:All well and good

[TheRealMindChild]

DDE is Windows 3 tech that was deprecated when 32bit Windows came around (due to OLE/ActiveX). It was a *terrible* cross library/process communication mechanism, which no one has used in over two decades, except when left in for "Legacy compatibility". Outside of Office, the only other app that may be currently used that supports this archaic API is mIRC.

Re:All well and good

[140Mandak262Jamuna]

Security and Convenience are diametrically opposite.

If you leave your home unlocked and ask the cable guy to just go in and "fix" it, you don't have to wait at home between 8 AM and 4PM. So would you?

Everytime my banker calls me on phone to check a 10K wire transfer, I specifically thank him for security.

When I filed my change of address, Vanguard locked my account withdrawals for seven days. I sent a mail thanking them.

If there is someone to blame, blame Microsoft was making convenience more important than security, and for fostering a climate where that decision was considered better.

Re:All well and good

[OzPeter]

You can turn it back on with a registry key.

So what does it take to turn it on?

Or in other words, can a bad actor sneakily turn it back on for you?

Re:All well and good

[EvilSS]

You can turn it back on with a registry key.

So what does it take to turn it on?

Or in other words, can a bad actor sneakily turn it back on for you?

If a bad actor can edit the registry then they don't need to turn on DDE, they already have plenty of access to your device.

Re:All well and good

[Chris+Mattern]

So what does it take to turn it on?

Like the parent post said, access to the registry. If an attacker has access to your Windows Registry, you're already screwed. He doesn't need to stage an attack through Word DDE; he already has everything.

Re:All well and good

[Ol+Olsoc]

DDE is Windows 3 tech that was deprecated when 32bit Windows came around (due to OLE/ActiveX). It was a *terrible* cross library/process communication mechanism, which no one has used in over two decades, except when left in for "Legacy compatibility". Outside of Office, the only other app that may be currently used that supports this archaic API is mIRC.

You are thinking specific, I'm talking about the generality of Microsoft disabling things that some users use. Apple does this too - I'm dealing with fallout of High Sierra turning thumbdrive encryption into a clusterfsck. When you have to keep finding new solutions to old challenges, it gets old real fast.

Re:All well and good

[Ol+Olsoc]

Security and Convenience are diametrically opposite.

If you leave your home unlocked and ask the cable guy to just go in and "fix" it, you don't have to wait at home between 8 AM and 4PM. So would you?

Funny you mention it. We've often had contractors come in and the often work unattended. They are bonded, and we are repeat customers.

Everytime my banker calls me on phone to check a 10K wire transfer, I specifically thank him for security.

Yeah, and I have a setup where any time a charge over a certain amount is charged to my Credit card, it disables the account, and a human calls me to verify the purchase.It's quite cool But still.

If there is someone to blame, blame Microsoft was making convenience more important than security, and for fostering a climate where that decision was considered better.

You are arguing against yourself. Your credit card and bankers have come out with a way to work around security vulnerabilities. Using Microsoft's paradigm, instead of a call to verify or some other security action, they would disable credit cards altogether.

My point, which seemed to me to be obvious, is that you fix the security vulnerability, not kill the process.

Re:All well and good

[MightyMartian]

Frankly anyone with any good sense should have been avoiding DDE for 20 years. The reality is that Microsoft should have killed it in the late 90s. Even without considering the security implications, it's a goddamned awkward data exchange protocol compared to OLE. The fact that Microsoft maintained this antiquated protocol really is the problem.

Re:All well and good

[thegarbz]

Security through loss of function

A long depreciation window combined with a functionally compatible and far superior alternative is not considered a "loss of function".

I guess you're also upset that you can no longer run 8 bit code on your 64 bit PC? Oh what a calamity!

Re:All well and good

[hairyfeet]

If you are using something originally coded for Windows 2.0 and OS/2 it might be time to actually upgrade to something newer, like say this century?

Re:All well and good

[phantomfive]

Is there any functionality that is even lost here? I would honestly be surprised if more than 5 people in the entire world are affected by this.

Re:All well and good

[Ol+Olsoc]

If you are using something originally coded for Windows 2.0 and OS/2 it might be time to actually upgrade to something newer, like say this century?

Note I heve never used DDE. But I can assure people there are cost center IT departments that are not happy right now.

Re:All well and good

[hackwrench]

I can run DOS programs through DOSBOX on my 64-bit PC and am still annoyed that emulation in general isn't transparent or that the sum total of all knowledge isn't completely available to me.

Re: All well and good

Sweet. Where do you work?

Re: All well and good

[Ol+Olsoc]

Sweet. Where do you work?

In the ninth level of hell.

Re:All well and good

True - ideally, MS should have been patching in a deprecation warning into Word years ago -- or, maintain a list of deprecated features.in the help menu and online.

There is one specific use-case of DDE that I believe MS Word does still use - when you open a word doc from explorer and Word is already running, the second instance instead communicates with the first to get it to open the document instead of having a second instance.

I don't know if this is still the case, or if people even care any more. However, checking the original article AND the original security advisory, I believe this blocks outgoing DDE launched by fields (and presumably VBA) in the document, not incoming DDE or DDE initiated by word.exe itself. This is all about blocking DDE commands potentially initiated by a malicious document; not about blocking Word's internal mechanisms.

Thus, Word probably continues to use DDE to give the 'single instance', but if you're part of the very small minority that use DDE fields inside Microsoft Word documents, which has been more or less deprecated since about Word 95, then you might have an issue. Most people probably have no idea that this feature existed.

Even then, in Word 95, you could tell this DDE approach was the old approach and you were supposed to be using OLE/ActiveX/COM instead. ANd I suspect MS will be moving completely off DDE at some point.

Re:All well and good

[angel'o'sphere]

It is actually not terrible. It is super simple. More or less a socket.

Outside of Office, the only other app that may be currently used that supports this archaic API is mIRC. And my GEOCad system and my (META ) CASE System.

Re:All well and good

so it is not terrible because you never bothered to learn anything else. seems legit

Re:All well and good

[terjeber]

If you work with DDE these days, you're a moron. OLE was introduced in 1990, and replaces DDE. Anyone ever using DDE should now be well retired. The fact that they actually use DDE is proof they really needs to be retired. Voluntarily or not.

Re:All well and good

[Ol+Olsoc]

If you work with DDE these days, you're a moron.

Never have - never will. But some folks do, and last time I checked, there was no law against being a moran

OLE was introduced in 1990, and replaces DDE. Anyone ever using DDE should now be well retired. The fact that they actually use DDE is proof they really needs to be retired. Voluntarily or not.

If no one is using it, there is no need to retire it. If peopel are using it, you fix it. A concept that is based on not pissing people off. It isn't like this is the first security fla in Office, so perhaps any one or group that works with MS Office is a moron?

Re:All well and good

[terjeber]

But some folks do, and last time I checked, there was no law against being a moran

If you work professionally with DDE when Microsoft has been telling you for decades (yes, decades) to stop, then you should be summarily fired from your job as being entirely unqualified for it.

there is no need to retire it.

That's the point. There is a strong need to retire it. It's unsafe.

perhaps any one or group that works with MS Office is a moron?

I have written a few applications and app integrations with MS Office over the years. I stopped using DDE in the early 1990s, there are good alternatives. Anyone who works with Office AND has used DDE since the mide 1990s is a moron. Someone who should be fired for incompetence.

Eliminate functionality: ban bump stocks

See subject & demand that your government BANS BUMP STOCKS IMMEDIATELY. Banning bump stocks is the ONLY way to prevent future mass shootings like the Las Vegas shooting.

The Vatican doesn't want bump stocks banned & is spending millions of dollars to LOBBY AGAINST banning bump stocks. The VAST FORTUNE of the Vatican was obtained through illicit means including funding wars in Europe. The tradition of using VIOLENCE to grow the wealth of the Vatican is alive and well. Collectively, the Vatican, George Soros, and the NRA, are fighting (figuratively, I hope) to keep them legal. Jesus Christ is ROLLING IN HIS GRAVE.

* Moderators will undoubtedly attempt to censor my post to -1. This censorship is wrong and is probably paid for by the Vatican. It's no better than Hillary Clinton and the DNC paying shills to support George Soros and spread conspiracy theories about Russia. Slashdot must ultimately ELIMINATE MODERATION.

The real purpose of the Russia investigation is to DEFLECT ATTENTION away from the Democratic COLLUSION with the Vatican. Any alleged Russian meddling in our election was dwarfed by the Vatican meddling, delivering tens of millions of dollars to support DEMOCRATS. Notice how Democrats paid lip service to banning bump stocks & then took no action. On the surface, they appear to support gun control, but in reality Democrats align their agenda closely with the Vatican on nearly all issues. The Vatican is by far the biggest manipulator of American elections, but does so behind the scenes. That is why only one Catholic has ever been elected President and he was assassinated by the Vatican for going against their plan to remain IN THE SHADOWS.

Good posts (like this one) keep ending up at -1, and it makes Slashdot IMPOSSIBLE to read. Moderation (censorship) is RUINING this site. The moderation system has become a means for enforcing groupthink and SILENCING users like Creimer who become unpopular with a small group of MORONS with mod points. Once their karma is depleted by the ABUSE, they can only post twice a day, and at a score of -1. I post anonymously so my imposters can't silence me in the same manner. Otherwise, I would no doubt be their next victim based on the amount of abuse I take.

Most of the abuse is because I won't OpenSORES my Hosts File Engine. JEALOUS LOSERS are angry they can't PIRATE my code and because I tell the TRUTH about them in my posts. Most are angry because they keep DESTROYING themselves against me. It's really quite sad and pathetic.

APK

P.S.=> Idiots like AssFux(lol) have no courage. They will keep censoring my posts and making false statements about me. I circumvent their feeble efforts with my Hosts File Engine. It's also FAR more secure than any antivirus or firewall can ever hope to be... apk

Re:Eliminate functionality: ban bump stocks

[hackwrench]

Proof? You don't have a shred of evidence that banning bump stocks will change mass shootings one way or another. I might as well start posting that we should demand bump stocks on all weapons including melee weapons to prevent mass shootings.

Re:Eliminate functionality: ban bump stocks

LOL, nutter. Stopped at the anti-Catholic rhetoric straight out of the 1940's KKK.

I was hit with that malware attack

This bug still? I was hit with this attack back in 2008, it encrypted my MSWord interface to this weird long list of unusable modal icons, rendering my Office suite unusable.

I had to switch to LibreOffice to fix it.

I'm shocked that this is still happening in 2017 nearly a decade later!

Re:I was hit with that malware attack

[b0s0z0ku]

Sounds like you fixed it by upgrading :)

Re:I was hit with that malware attack

Yes and LibreOffice is the epitome of security.

Word 2007

[DrStrangluv]

What makes this patch especially interesting is they also released it for Word 2007, which otherwise would be end of life and excluded from updates.

Re:Word 2007

Yes. This speaks volumes about the huge issue the DDE attack vector is right now. Literally almost all spam is using it right now. This and the Equation Editor attack.

Re: Word 2007

[Frosty+Piss]

Of course. Many of their corporate clients still use 2007.

Re: Word 2007

Of course. Many of their corporate clients still use 2007.

That's because newer versions really don't offer anything most people would care about.
Upgrading is really done because "2007" sounds like it was a long time ago or you bought a new computer.

Re: Word 2007

[MightyYar]

Frankly, 2007 was a UI downgrade from the very-complete 2003. Nothing like re-learning a GUI that you've been using for 20 years. Progress!

Re: Word 2007

Frankly, 2007 was a UI downgrade from the very-complete 2003. Nothing like re-learning a GUI that you've been using for 20 years. Progress!

I have used Microsoft Office with the ribbon bar for several years and i still have to search for fhe functions. I believe much of my confusion is caused by the folding when the window isn't maximizqed.

Re: Word 2007

Oops, I accidently flipped a t upside down.

Re: Word 2007

[MightyYar]

The folding is annoying, and the way different size screens show different versions of the toolbar (maybe that's the same thing?). I also don't like that they repeat the location of items in multiple places, or that they screwed with the shortcuts. But mostly, I just don't like that they threw their power users under the bus for the sake of the newbies... it shows what they think of us. I've made a concerted effort to remove myself from MS's tools as a result. No matter, our office still pays the ransom.

Re: Word 2007

Word '97 was just fine for me.

Re: Word 2007

[MightyYar]

That release will forever be stained by Clippy, but otherwise I'd agree.

Re: Word 2007

[thegarbz]

Frankly, 2007 was a UI downgrade from the very-complete 2003. Nothing like re-learning a GUI that you've been using for 20 years. Progress!

Just because you had to learn something new doesn't make it a downgrade. I'm sorry someone moved your cheese, but the world is a better place for your loss.

Re: Word 2007

[MightyYar]

I'm sorry, but having now used the ribbon for 6 or 7 years vs. having previously used the old menu systems for almost 20, I just haven't seen any productivity improvements - and in fact I still get irritated by weird ribbon behavior and differences between different systems with differently-shaped screens. I don't mind if someone "moves my cheese" for good reason, but "supporting touch screen" is not a good reason for a power user who never uses a MS tablet. At home I don't even bother installing MS Office anymore, even though I can get a legal copy for under $10 through work. If the ribbon were such a great productivity enhancer, why is MS the only taker? (Oh, that reminds me - screw you too, Mathworks. As if MATLAB needed to be touch-friendly.)

Re: Word 2007

[MightyYar]

And add Autodesk to the list of horrendous interfaces - though at least you can still type the same commands you could in 1993.

Re: Word 2007

Worse yet, it is a "skin", the old ui is still there underneath. Performance of Office 2003 was far superior. 2007 looks like the work of an art student who has never had to do serious work on a computer.

Re: Word 2007

[jbengt]

The Ribbon takes up more space than a drop-down menu plus three toolbars, is less customizable, takes more clicks to do common things than a menu + toolbar does, and rearranges itself when you resize the window, yet you somehow think that it makes the world a better place?

Re: Word 2007

[jbengt]

AutoCAD at least lets you, with some effort, set up your old menus and toolbars to use, and has a much better overall interface compared to Revit. Now that user interface sucks.

Re: Word 2007

Office 2003 was the pinnacle of MS office. It's just been downhill since. I prefer open/libre office these days.

Re: Word 2007

[angel'o'sphere]

A GUI that is not explorable and has everything you need at the wrong places and only works via buttons that "also have a right click mouse menu": is horrible.

In old GUI programs you simply moved with the mouse over menus and you knew what you can do and it was easy to figure how to do it ... FrameMaker comes to mind. Best "Word Processor" ever.

The MS ribbon nonsense requires formal training to be able to use the Office packages and Outlook. And don't get me started about Apples Pages and Numbers and don't even remember how the presentation software is called ... Notes? Completely useless pieces of shit. Worth than anything MS ever did. Unusable without having Google open and for funk sake being forced to memorize every stupid icon. You can not do anything relevant without opening the right toolbar/floating tools window and knowing which icon to click.

Re: Word 2007

[antdude]

I was using 2000 SR3 until October 2016 until my Windows XP Pro SP3's HDD crashed. :(

Re: Word 2007

[thegarbz]

I'm sorry, but having now used the ribbon for 6 or 7 years vs. having previously used the old menu systems for almost 20, I just haven't seen any productivity improvements

I have. The interesting thing is so have the millions of other people who more welcome context based options rather than menus of everything.

Greater good.

Re: Word 2007

[thegarbz]

And add Autodesk to the list of horrendous interfaces - though at least you can still type the same commands you could in 1993.

That is an interesting observation given the old command based system is one of the least user friendly ways of interacting with an application. There's no doubt for the expert it is a great benefit, but the world is built on experts alone.

Re: Word 2007

[thegarbz]

My 1024x768 monitor weeps for your 2003 problem.

Re: Word 2007

[thegarbz]

is not explorable

Every option available in the current context is explorable. On the flip side hiding those options in a list of unavailable and de-activated options is not user friendly.

has everything you need at the wrong places

Your "wrong places" is debatable. Personally I find it a great improvement in most of the office apps.

and only works via buttons

Except it doesn't.

The MS ribbon nonsense requires formal training to be able to use the Office packages and Outlook.

Only for people stuck in the early 90s who expect a menu with every option always available. For everyone else the ribbon is far more intuitive and easier to pick up.

Re: Word 2007

[MightyYar]

When it comes to professional software, the world is indeed built by experts. If you think the command based system is user-unfriendly, your sole experience with drafting is some kind of intro course. Even then, the clicks get old fast. Autodesk got the balance right - the experts can still use the system that they've been using for decades, and the newbies can screw with the ribbon. In the case of AutoCAD, it's not like the menu system was ever very important - you mostly used it to set up your toolbars, and now you use the ribbon to do that instead. Microsoft even screwed up the old shortcuts to match the new GUI, so they fucked up both expert and casual user alike in the interest of making a single version for both tablet and desktop.

Re: Word 2007

[MightyYar]

You are the first ribbon fan I've found in the wild. You could, of course work for MS or have some professional interest in the ribbon, but I'll give the benefit of the doubt and assume you are genuine. Everyone is different - and I won't begrudge your taste. I will ask how tossing away all of your 3-key shortcuts in favor of new 3-character+ shortcuts made you more productive? If you use a tablet or touch screen, I could understand. But the rest of us took the hit for what turned out to be a narrow use-case. Their Mac team left the old menu in place alongside the ribbon - that is a very user-friendly implementation.

Re: Word 2007

[MightyYar]

Only for people stuck in the early 90s who expect a menu with every option always available.

Outlook is not defensible. You have two completely separate edit modes, with completely separate ribbons and options available to you depending on whether you "pop out" the message you are editing or not. There is absolutely no way to use all of the features available for messages without first hitting the pop out button - which is not even part of the ribbon. The ribbon was clearly shoe-horned onto that program, and whatever you think of the concept of the ribbon in general, it was not executed well in Outlook.

Re: Word 2007

[angel'o'sphere]

Hahahaha

Save as
Print
Print Preview

On the wrong page.
The 'standard page for editing' has the wrong name ...

Sorry, the ribbon version of Office is completely unusable.

If you can work with it: fine for you...

It's a forced upgrade

Microsoft has superseded via the newer Object Linking and Embedding (OLE)

By breaking backwards compatibility, everyone else has to have to pony up for a newer version of Word to view your documents.

Imagine that.

Re:It's a forced upgrade

[Opportunist]

OLE is about 25 years old. If you have to update your software because it's not able to do OLE, it's about fucking time!

Re:It's a forced upgrade

[DarkOx]

That does not mean someone did not create new software using a document supported feature of the product just last week.

Re:It's a forced upgrade

[Kokuyo]

Then that someone is incompetent and deserves all that is coming.

By your logic, nothing could ever get phased out, no matter how bad it is.

Re:It's a forced upgrade

[Ol+Olsoc]

Microsoft has superseded via the newer Object Linking and Embedding (OLE)

By breaking backwards compatibility, everyone else has to have to pony up for a newer version of Word to view your documents.

Imagine that.

Microsoft Office is well known for being incompatible with itself.

Re:It's a forced upgrade

[Opportunist]

I honestly can't think of anyone still using DDE for anything. Compared to OLE it's clumsy and very, very badly supported. You'll have more comfort writing Windows GUI applications in C++ with Visual Studio than using DDE.

Re:It's a forced upgrade

[TheRaven64]

DDE was deprecated with win32. It was an old Win16 interface that was superseded by OLE (which has gone through a few iterations itself). The only reason to use DDE is for compatibility with legacy 16-bit applications, most of which won't even run on 64-bit Windows.

Re:It's a forced upgrade

[Chas]

I honestly can't think of anyone still using DDE for anything. Compared to OLE it's clumsy and very, very badly supported. You'll have more comfort writing Windows GUI applications in C++ with Visual Studio than using DDE.

Actually, a lot of Office links still use DDE.

Re:It's a forced upgrade

[paavo512]

-- posting to undo accidental moderation --

Re:It's a forced upgrade

The only reason to use DDE is for compatibility with legacy 16-bit applications, most of which won't even run on 64-bit Windows.

there are three possibilities:

- microsoft is beyond stupid for leaving in a 64 bit version of a 16 bit API (how do they do that)
- you are fucking wrong
- both of the above

the third option is the most likely

Re:It's a forced upgrade

[vtcodger]

"Actually, a lot of Office links still use DDE."

Not anymore apparently.

Re:It's a forced upgrade

[isj]

DDE was deprecated with win32.

Source please. Perhaps you are thinking of NetDDE?

Plain DDE may have been deprecated for use with the office programs, but it worked just fine for other things. I have made win32 programs that used DDE for (local) communication. Compared to the alternatives (tcp-over-loopback, shared memory+shared-mutexes, named-pipes) it works fine.

Re:It's a forced upgrade

[TheRaven64]

The Microsoft Visual C++ 5 documentation told me to not use DDE in new projects and to prefer OLE. I don't have a more recent reference, because I haven't run Windows for about 20 years.

Re:It's a forced upgrade

[hackwrench]

I was fully intent on writing lots of C++ code for GUI Windows programs, you insensitive clod!

Re:It's a forced upgrade

[isj]

Fair enough. I seem to recall that microsoft was trying to get people to use OLE for embedded objects. For such uses OLE is definitely more appropriate than DDE.

Re:It's a forced upgrade

[Chas]

Remember, they only disabled it for Word.

It still works in Excel and Outlook.

It'll probably be stripped completely out of Office 2018 though.

Re:It's a forced upgrade

[angel'o'sphere]

OLE is not DDE ... and I doubt people use any of those two things often, if at all.

Re:It's a forced upgrade

[angel'o'sphere]

And how do you pump data into "You'll have more comfort writing Windows GUI applications in C++" if not via DDE?

I guess you don't really know what DDE is and how it works.

Re:It's a forced upgrade

[angel'o'sphere]

OLE and DDE are completely different things.

In OLE e.g. a program enables you to "copy/paste" a part of an Excel Spread Sheet into your Application. That will be an "Excel Object that is Embedded into your document and Links to Excel so that Excel will recalculate that fragment when you change data"

DDE (dynamic data exchange) is a simple thing where you register a named server, that can be looked up, and you simply pipe strings or read strings from it. It is a fancy name for a local registry that is basically a set of named pipes.

Your document above only works when Excel is installed ... otherwise the excel object embedded in it is worthless.

DDE is just a socket/pipe to which you write more or less like to a file. It is superb for scripting an application, assuming it already has an scripting interface, it is like 5 lines of code to make it remotely scriptable via DDE. Like AppleScript or VBA for Applications make it possible to scrip an Application.

The guys who wrote 25 years ago in MS documentations you should prefer OLE over DDE simply had no clue either that both things are so completely different that it rarely makes sense to chose one over the other.

Re:It's a forced upgrade

[Opportunist]

So am I. I refuse to touch the atrocity that is C# for as long as I possibly can.

But it gets harder and harder with every incarnation of Visual Studio.

Re:It's a forced upgrade

[Opportunist]

Please don't tell me you use anything coming from MS Office as a trusted data source.

That's for managers so they can play with something and don't get in the way of working people.

Re:It's a forced upgrade

[SuperDre]

Why? the article is incorrect in saying OLE superseded DDE, DDE also has some other advantages which OLE doesn't do, they are actually 2 completely different things. And also, I always learned, if it ain't broke, don't fix it. Do be honest, the current Office365 is really REALLY crap compared to the older versions (webbased isn't even funny how crap that one is).

Re:It's a forced upgrade

[Opportunist]

The problem is, it is broke.

Re:It's a forced upgrade

[SuperDre]

Actually it isn't broken, it does what it needs to do... but others can misuse that functionality..

Re:It's a forced upgrade

[terjeber]

A documented supported feature Microsoft has been telling you for decades to stop using. Anyone using it has proven that their not qualified to work in software development.

Really?

This is the fucking problem with Microsoft, every fucking thing has to be able to execute fucking code and talk to fucking everything else that can also execute fucking code.

And then you fucking wonder why Microsoft is not fucking secure?

Fuck.

Re:Really?

[Hal_Porter]

There's no need to for that kind of language.

Re:Really?

[TheRaven64]

DDE was introduced in Windows 2.0 (in 1987), which also introduced such exciting features as overlapping windows. Computers that ran Windows 2.0 mostly didn't exchange files, but if they did it was most commonly on a 5.25" floppy disk or very occasionally via a serial link. The threat model for these machines largely related to someone breaking into your office and stealing them. Attacking this on most Windows 2.0 machines would have usually involved persuading a random person to accept a floppy disk and then run a program that you gave them (at which point, given the lack of memory protection, you already have complete control over their system and so there's no need for you to use a vulnerability in DDE).

Microsoft has kept this archaic technology for compatibility, because people much like you swear at them whenever the break old and insecure APIs and say that they're just doing it to inconvenience their competitors.

Re:Really?

I'm sorry for saying M******** twice.

Newer?

[Dan+East]

newer Object Linking and Embedding (OLE) toolkit

OLE 1.0, released in 1990, was an evolution of the original Dynamic Data Exchange (DDE) concept

Boy, that's reassuring that OLE is so much newer than DDE. Why the heck is something like DDE still existing in their products when it was superseded by something 27 years ago?

Re:Newer?

A few months ago, I was implementing a process control system that we wanted to conditionally write logs directly to a database. The documentation gave very simple instructions about how to do this with DDE.

Except that the DDE channel had been removed last year, and instead of a simple two-program system with free components, the OLE version took 4 proprietary programs.

That was my first foray into sorting through DDE or OLE, and while it may not be typical, my conclusion is that OLE is a complete failure and DDE survived so long because it actually worked.

Re:Newer?

[MightyMartian]

OLE and DDE certainly serve the same purpose, but OLE is Microsoft's implementation of CORBA, which has been around since the 1980s. So far as I understand it, at least in theory, OLE is supposed to interact with other CORBA implementations.

Re:Newer?

[angel'o'sphere]

That is actually a silly if not even dumb question.

I have a CAD system that is used for GEO informations, plans for buildings etc.

It can talk to Excel via DDE. Tell excel to open a "template file", save it as "today-${project}-earth-to-move.xls" and then the CAD system will pipe in the data to calculate the amount of earth to dig out and how many trucks you need to carry it away.

I got payed for that 20 years ago.

If Excel breaks DDE "communication" all my customers from over 25 years ago have to find one to program that again, with another approach.

Actually most things I did with DDE are the other way around: the DDE interface of my CAD System simply accepts the same syntax as text based import formats. Think about DXF files. You pipe line by line text into the CAD's DDE interface and it draws the objects you sent.

With OLE that would simply be much much more complicated for no benefit at all. Well, you could perhaps embed an interactive "CAD object" from my CAD System into your Word Document if I would support OLE ...

Re:Newer?

[angel'o'sphere]

No, OLE is the attempt of reinventing the Apple "OLE" which they had years before, but then dropped it as it is pointless.
CORBA is something completely different and has nothing to do with OLE at all. CORBA is an object oriented RPC (remote procedure call) "specification". It basically only works inside of the same "Server" (ORB = object request broker) family (same vendor, not even same OS is enough).
It got soon extended by the IIOP, internet inter ORB protocol, which made it possible that ORBs of different vendors could interact with each other.
While there are similarities, they have not much in common. In CORBA e.g. you have platform neutral specification languages (IDL, interface description languages) that make it possible to generate communication skeletons and "dumb data objects" to talk to any ORB. And then fill out the logic you need.
An ORB is basically a fancy "REST Server" ... or "SOAP", does not matter, means: A server application.
In other words: the data you manipulate is somewhere else. On the server.

With OLE every single Application on your Windows PC can be its own small server, able to handle requests to manipulate objects that are actually "embedded" into other programs.

You basically tell a remote (but still on the same machine) progam to manipulate your local data. OLE is basically CORBA reversed. Instead of calling business logic on the server, the other side manipulates the data in the client. (And there is no IDL/specification language, but you have to implement all the hooks the other side needs to manipulate your data)

P.S.
Similar to CORBA *and* OLE is MS COM and DCOM inspired by DECs was DCE, Distributed Computing Environment.
Or as a summary:
* CORBA is supposed to be used in a LAN/WAN and with IIOP over the internet, OLE is supposed to be used on the same machine, but it is possible to use OLE Servers (as in remote)
However, why anyone would use OLE for remote stuff when we have CORBA, SOAP and REST is beyond me.
* the CORBA server is called by clients, letting the server do something for them on the server
* OLE asks the server to do something inside of your own address space, you basically embed (hence the E in OLE) a part of the server into your own application, it is basically a super fancy DLL(dynamic link library)

Re:Newer?

Logs and databases have nothing to do with MS Office. Unless the plan was to create a clusterfuck.

Coming up next week....

[SteWhite]

"disables DDE only in Word, but not Excel or Outlook"

News from next week - cybercriminals switch to using malicious Excel sheets instead of Word documents in their malware spam.

Seriously, what are they thinking here?

Microsoft does it again

[evolutionary]

in the long tradition of long reaching poor ideas like VBA (which had to be disabled in IE for security issues which finally happened in IE7), IIS with insecure settings on be default (for convenience), now comes DDE. Things that had to be changed or disabled because of things anyone thinking it through would realize, is a bad idea. Of course Windows defender is a bit of a joke in the security world as well. The fact the update was done for Word 2007 probably means this vulnerability was so bad they included it to avoid repercussions from lawsuits of the government worried about foreign exploitation. Windows 10 in general (or at least the spyware components) will probably be on this list before long because people will finally wake up and realize what is happening, or some foreign country will exploit it to collect data and we'll be like, "how could MS do this?" answer: because we sat back, and let them. Security comes at the price of convenience, and MS has historically been poor at finding this balance, making things that are neither convenient or secure (at least in comparison to MacOS and Linux) . I specifically say "foreign power" because governments love backdoors, and "telemetry data" to spy on it's entire population. But..they seem to be of the illusion that you can make a door that only one specific group can use and other cannot find and use themselves.

Re:Microsoft does it again

[TheRaven64]

You realise DDE originated in 1987 and predates VBA by six years? What software did you write in 1987 that considered a world in which most computers were networked and exchanged untrusted documents?

Re: Microsoft does it again

[Zero__Kelvin]

You realize it is 2017 now, and that has been a concern for more than 20 years, right?

Kind of a clever attack

[Hal_Porter]

Details here -

http://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html

Amen!

I has this same feeling when they started pretending like NT4.0 never existed, "Security through loss of function."

Pop song reference

DDE did a job on me
Now my desktop's a real sickie
Guess I have to break the news
Now I've got no files to lose
Code Red caused a trichotomy
My PC is a lobotomy!
Lobotomy!
Lobotomy!

- from "Teenage Lobotomy" (Ramones)

Re: Pop song reference

[Zero__Kelvin]

It's Punk, not Pop.

DDE

[Dwedit]

DDE was already obsolete by the time Windows 98 came out, and should have been removed then.

Re:DDE

[vtcodger]

I know this will come as a shock to you, but there are users out there who like their applications to keep on working when their OS is "upgraded".

Re:DDE

If you have to use, much less support a custom application that has not been updated since 98, i feel for you. Such applications cannot be so complex that they could not be rewritten into a web application likely in months.

Custom applications running on clients is such a support time sink these days. Move it to the web. If the user's client takes a crap, drop in a replacement one and they're back up and running in little time. Though most of the time it's much simpler and something like having them clear their browser cache and they're back up and running.

A win by attrition

Now I can stop fighting the desktop team re: killing DDE in Word via GPO as they will blindly deploy M$'s "patch." Win!