DDE feature in Microsoft Word disabled to avoid malware attacks

Microsoft is trying every bit to prevent malware attacks using its applications. As a part of this prevention, Microsoft recently disabled the DDE feature in Word. The discontinuation of DDE feature in Word is a part of the December 2017 Patch Tuesday. Microsoft shipped this Office update because many malware campaigns have abused the DDE feature in Microsoft Word to install malware.

DDE feature in Word

What is DDE feature in Word

DDE or Dynamic Data Exchange is an old feature by Microsoft. It was replaced by the newer Object Linking and Embedding (OLE) toolkit. However, DDE is still supported by Office applications, such as Word. Using DDE, one Office application can load data from other Office applications. For example, if an Excel file is embedded in a Word document, the data in the table in the Word document can be updated every time the Word file is opened.

Microsoft explains this feature in detail:

“The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data, and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.”

How DDE feature is misused to install malware

The very feature of DDE that enables one Office application to load data from another Office application is being misused by the malware writers to install malware. In fact, security researchers from SensePost even published a tutorial on how the DDE feature can be ‘used’ to distribute malware. This tutorial was published in October 2017. Unfortunately, this tutorial helped malware authors to learn new methods to distribute malware. Hackers’ groups such as FIN7 adopted some of these methods to target the financial institutions.

Microsoft mentioned the scenario where a malware author implants the malware using DDE feature in Word:

“In an email attack scenario, an attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email. The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts. As email attachments are a primary method an attacker could use to spread malware, Microsoft strongly recommends that customers exercise caution when opening suspicious file attachments.”

For more information on this update on TechNet.

Posted by with Tags
Ankit Gupta is a writer by profession and has more than 7 years of global writing experience on technology and other areas. He follows technological developments and likes to write about Windows & IT security. He has a deep liking for wild life and has written a book on Top Tiger Parks of India.