Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Microsoft Disables Dynamic Update Exchange Protocol in Word

In an attempt to prevent cybercriminals from abusing the Dynamic Update Exchange protocol (DDE) for nefarious operations, Microsoft has disabled the feature in all supported versions of Word.

The DDE protocol was designed to allow Windows applications to transfer data between each other and consists of a set of messages and guidelines.

In an attempt to prevent cybercriminals from abusing the Dynamic Update Exchange protocol (DDE) for nefarious operations, Microsoft has disabled the feature in all supported versions of Word.

The DDE protocol was designed to allow Windows applications to transfer data between each other and consists of a set of messages and guidelines.

Using shared memory to exchange data between Office applications, the DDE protocol has been replaced in Office with Object Linking and Embedding (OLE), but DDE is still supported in the popular productivity suite. 

Abusing DDE to deliver malware via Office documents isn’t alwasys easy. In addition to creating a malicious document, an attacker would also need to convince the victim to disable Protected Mode and click through a series of prompts referencing linked files and remote data.

Regardless, security researchers stumbled upon numerous malware infection campaigns abusing DDE, ranging from DNSMessenger malware attacks orchestrated by the FIN7 hacking group, to Hancitor infections, and to Necurs-fueled Locky ransomware campaigns.

The Russia-linked cyber espionage group known as Fancy Bear has been seen leveraging DDE for malware infection purposes.

This prompted Microsoft to publish a security advisory in early November to inform users on how to protect themselves from such attacks. The tech giant also underlined that the Attack Surface Reduction (ASR) mitigation included in Windows Defender Exploit Guard as part of the Windows 10 Fall Creators Update keeps users protected from such attacks.

Previous mitigations against such attacks included setting specific registry keys to disable automatic data updates from linked fields, and Microsoft previously provided detailed information on how users could perform the action for Excel, Outlook, Publisher and Word.

Now, the company has decided to completely disable DDE in all supported versions of Word. The change was made as part of the December 2017 Patch Tuesday.

In a security advisory, the Microsoft said that it continues to investigate this issue and that further updates will be provided if necessary.

Users unable to install the newly released Office security update or looking to disable the DDE protocol in other Office applications such as Excel, can do so manually by applying previously announced mitigations. 

To change DDE functionality in Word after installing the update, users should navigate to:

HKEY_CURRENT_USERSoftwareMicrosoftOfficeversionWordSecurity AllowDDE(DWORD)

Next, users should set the DWORD value based on their requirements: 0 to disable DDE; 1 to allow DDE requests to an already running program (but prevent requests that launch another executable program); or 2 to fully allow DDE requests.

Related: Microsoft Patches 19 Critical Browser Vulnerabilities

Related: Microsoft Issues Advisory for Mitigating DDE Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Software maker Adobe has rolled out its first batch of security patches for 2023 with fixes for at least 29 security vulnerabilities in a...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...