Microsoft Disables Word DDE Feature To Prevent Further Malware Attacks

An anonymous reader writes: As part of the December 2017 Patch Tuesday, Microsoft has shipped an Office update that disables the DDE feature in Word applications, after several malware campaigns have abused this feature to install malware. DDE stands for Dynamic Data Exchange, and this is an Office feature that allows an Office application to load data from other Office applications. For example, a Word file can update a table by pulling data from an Excel file every time the Word file is opened. DDE is an old feature, which Microsoft has superseded via the newer Object Linking and Embedding (OLE) toolkit, but DDE is still supported by Office applications.

The December Patch Tuesday disables DDE only in Word, but not Excel or Outlook. The reason is that several cybercrime and spam groups have jumped on this technique, which is much more effective at running malicious code when compared to macros or OLE objects, as it requires minimal interaction with a UI popup that many users do not associate with malware. For Outlook and Excel, Microsoft has published instructions on how users can disable DDE on their own, if they don't want this feature enabled.

All well and good

[Ol+Olsoc]

But its a bloody nuisance when you work with something, then it suddenly goes away. Security through loss of function.

Re:All well and good

[DrStrangluv]

You can turn it back on with a registry key.

Re:All well and good

[TheRealMindChild]

DDE is Windows 3 tech that was deprecated when 32bit Windows came around (due to OLE/ActiveX). It was a *terrible* cross library/process communication mechanism, which no one has used in over two decades, except when left in for "Legacy compatibility". Outside of Office, the only other app that may be currently used that supports this archaic API is mIRC.

Word 2007

[DrStrangluv]

What makes this patch especially interesting is they also released it for Word 2007, which otherwise would be end of life and excluded from updates.

Re: Word 2007

[MightyYar]

Frankly, 2007 was a UI downgrade from the very-complete 2003. Nothing like re-learning a GUI that you've been using for 20 years. Progress!

Re:It's a forced upgrade

[Opportunist]

OLE is about 25 years old. If you have to update your software because it's not able to do OLE, it's about fucking time!

Newer?

[Dan+East]

newer Object Linking and Embedding (OLE) toolkit

OLE 1.0, released in 1990, was an evolution of the original Dynamic Data Exchange (DDE) concept

Boy, that's reassuring that OLE is so much newer than DDE. Why the heck is something like DDE still existing in their products when it was superseded by something 27 years ago?

Re:Newer?

[angel'o'sphere]

No, OLE is the attempt of reinventing the Apple "OLE" which they had years before, but then dropped it as it is pointless.
CORBA is something completely different and has nothing to do with OLE at all. CORBA is an object oriented RPC (remote procedure call) "specification". It basically only works inside of the same "Server" (ORB = object request broker) family (same vendor, not even same OS is enough).
It got soon extended by the IIOP, internet inter ORB protocol, which made it possible that ORBs of different vendors could interact with each other.
While there are similarities, they have not much in common. In CORBA e.g. you have platform neutral specification languages (IDL, interface description languages) that make it possible to generate communication skeletons and "dumb data objects" to talk to any ORB. And then fill out the logic you need.
An ORB is basically a fancy "REST Server" ... or "SOAP", does not matter, means: A server application.
In other words: the data you manipulate is somewhere else. On the server.

With OLE every single Application on your Windows PC can be its own small server, able to handle requests to manipulate objects that are actually "embedded" into other programs.

You basically tell a remote (but still on the same machine) progam to manipulate your local data. OLE is basically CORBA reversed. Instead of calling business logic on the server, the other side manipulates the data in the client. (And there is no IDL/specification language, but you have to implement all the hooks the other side needs to manipulate your data)

P.S.
Similar to CORBA *and* OLE is MS COM and DCOM inspired by DECs was DCE, Distributed Computing Environment.
Or as a summary:
* CORBA is supposed to be used in a LAN/WAN and with IIOP over the internet, OLE is supposed to be used on the same machine, but it is possible to use OLE Servers (as in remote)
However, why anyone would use OLE for remote stuff when we have CORBA, SOAP and REST is beyond me.
* the CORBA server is called by clients, letting the server do something for them on the server
* OLE asks the server to do something inside of your own address space, you basically embed (hence the E in OLE) a part of the server into your own application, it is basically a super fancy DLL(dynamic link library)

Re:Really?

[TheRaven64]

DDE was introduced in Windows 2.0 (in 1987), which also introduced such exciting features as overlapping windows. Computers that ran Windows 2.0 mostly didn't exchange files, but if they did it was most commonly on a 5.25" floppy disk or very occasionally via a serial link. The threat model for these machines largely related to someone breaking into your office and stealing them. Attacking this on most Windows 2.0 machines would have usually involved persuading a random person to accept a floppy disk and then run a program that you gave them (at which point, given the lack of memory protection, you already have complete control over their system and so there's no need for you to use a vulnerability in DDE).

Microsoft has kept this archaic technology for compatibility, because people much like you swear at them whenever the break old and insecure APIs and say that they're just doing it to inconvenience their competitors.

Re:Microsoft does it again

[TheRaven64]

You realise DDE originated in 1987 and predates VBA by six years? What software did you write in 1987 that considered a world in which most computers were networked and exchanged untrusted documents?

Re:It's a forced upgrade

[Chas]

I honestly can't think of anyone still using DDE for anything. Compared to OLE it's clumsy and very, very badly supported. You'll have more comfort writing Windows GUI applications in C++ with Visual Studio than using DDE.

Actually, a lot of Office links still use DDE.

Re:It's a forced upgrade

[vtcodger]

"Actually, a lot of Office links still use DDE."

Not anymore apparently.

Re:DDE

[vtcodger]

I know this will come as a shock to you, but there are users out there who like their applications to keep on working when their OS is "upgraded".

Re:It's a forced upgrade

[angel'o'sphere]

OLE and DDE are completely different things.

In OLE e.g. a program enables you to "copy/paste" a part of an Excel Spread Sheet into your Application. That will be an "Excel Object that is Embedded into your document and Links to Excel so that Excel will recalculate that fragment when you change data"

DDE (dynamic data exchange) is a simple thing where you register a named server, that can be looked up, and you simply pipe strings or read strings from it. It is a fancy name for a local registry that is basically a set of named pipes.

Your document above only works when Excel is installed ... otherwise the excel object embedded in it is worthless.

DDE is just a socket/pipe to which you write more or less like to a file. It is superb for scripting an application, assuming it already has an scripting interface, it is like 5 lines of code to make it remotely scriptable via DDE. Like AppleScript or VBA for Applications make it possible to scrip an Application.

The guys who wrote 25 years ago in MS documentations you should prefer OLE over DDE simply had no clue either that both things are so completely different that it rarely makes sense to chose one over the other.