Microsoft is trying every bit to prevent malware attacks using its applications. As a part of this prevention, Microsoft recently disabled the DDE feature in Word. The discontinuation of DDE feature in Word is a part of the December 2017 Patch Tuesday. Microsoft shipped this Office update because many malware campaigns have abused the DDE feature in Microsoft Word to install malware.
What is DDE feature in Word
DDE or Dynamic Data Exchange is an old feature by Microsoft. It was replaced by the newer Object Linking and Embedding (OLE) toolkit. However, DDE is still supported by Office applications, such as Word. Using DDE, one Office application can load data from other Office applications. For example, if an Excel file is embedded in a Word document, the data in the table in the Word document can be updated every time the Word file is opened.
Microsoft explains this feature in detail:
“The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data, and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.”
How DDE feature is misused to install malware
The very feature of DDE that enables one Office application to load data from another Office application is being misused by the malware writers to install malware. In fact, security researchers from SensePost even published a tutorial on how the DDE feature can be ‘used’ to distribute malware. This tutorial was published in October 2017. Unfortunately, this tutorial helped malware authors to learn new methods to distribute malware. Hackers’ groups such as FIN7 adopted some of these methods to target the financial institutions.
Microsoft mentioned the scenario where a malware author implants the malware using DDE feature in Word:
“In an email attack scenario, an attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email. The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts. As email attachments are a primary method an attacker could use to spread malware, Microsoft strongly recommends that customers exercise caution when opening suspicious file attachments.”
For more information on this update on TechNet.