Microsoft offers mitigation advice for DDE attacks scenarios
Microsoft has published a security advisorty containing DDE attack mitigation instructions for both users and admins.
What’s a DDE attack?
For a while now, attackers have been ditching malicious macros and OLE objects in favor of the Dynamic Data Exchange (DDE) attack technique to deliver malware via booby-trapped Office documents.
Opening such a document will not trigger any security warnings. Users will be simply asked to update the document links, and then to execute the retrieved application (malware). That last stage can also be eliminated altogether.
It is not a new avenue of attack, and the DDE feature that allows it was introduced into Microsoft Office decades ago, to enable data exchange between applications via shared memory.
Despite the attack technique gaining popularity, Microsoft said that there will be no patch. It is not a vulnerability, they said, but a feature. And, after all, Office applications do show one or more additional prompts that the users has to click through before the booby-trapped files are allowed to be opened.
Users should know better than that, by now, but unfortunately many do not. It falls on enterprise administrators to block the route that allows these attacks to succeed, and AV vendors to flag Office documents with DDE fields as potentially dangerous.
Some security companies have been offering their own solutions.
The security advisory released on Wednesday by Microsoft points administrators to documents detailing the enabling of specific feature control keys for security reasons, and instructions for all users on how to prevent automatic update of links in Excel, Outlook, Publisher, and Word.
In most cases, this can be done by manually creating and setting registry entries for the Office applications, and Microsoft warns that users should go about it carefully: “If you use Registry Editor incorrectly, you could cause serious problems that could require you to reinstall your operating system. Use Registry Editor at your own risk.”
Enterprises that have switched to Windows 10 Fall Creator Update can also leverage Windows Defender Exploit Guard to block DDE-based malware with Attack Surface Reduction (ASR), by blocking malicious behavior.
“Emerging exploits like DDEDownloader use the Dynamic Data Exchange (DDE) popup in Office documents to run a PowerShell downloader; however, in doing so, they launch a child process that the corresponding child process rule blocks,” they explain. The “Block Office applications from creating child processes” rule should stop the attack.
Microsoft continues to research this issue further and promises to post more information on protection when it becomes available.