Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks By

Solarquest

Moderator
MalwareTips Staff
AV-Tester
Joined
Jul 22, 2014
Messages
1,946
#1
As part of the December 2017 Patch Tuesday, Microsoft has shipped an Office update that disables the DDE feature in Word applications, after several malware campaigns have abused this feature to install malware.

DDE stands for Dynamic Data Exchange, and this is an Office feature that allows an Office application to load data from other Office applications. For example, a Word file can update a table by pulling data from an Excel file every time the Word file is opened.

DDE is an old feature, which Microsoft has superseded via the newer Object Linking and Embedding (OLE) toolkit, but DDE is still supported by Office applications.

DDE feature abused to install malware
...
 

Lockdown

From AppGuard
Developer
Joined
Oct 24, 2016
Messages
3,100
#2
Gee, disabling something by default that isn't needed. Now that's sacrilege to some people.

Of course they had to make it another opt-in GUI-less registry hack, right ? What's one more gonna matter at this point. Make the user search the web for an hour to get infos. Maybe the user will find it, maybe they won't. Maybe what they find is accurate, maybe not.

Why not just use Chromebook and save yourself a heap of trouble ?
 
Last edited:
Joined
Feb 10, 2017
Messages
1,021
OS
Windows 10
Antivirus
Comodo
#3
Gee, disabling something by default that isn't needed. Now that's sacrilege to some people.
But imagine the suffering that Dave would go through having to spend 30 seconds of his life googling how to re-enable powershell. :cry:

Seriously though I'd love to hear the reasoning from a Microsoft engineer as to why they don't disable stuff that 99.9% of the user base doesn't know exists but has been continuously abused by malware authors for years. I simply can't understand it.
They can always keep this stuff enabled by default in the Pro/Enterprise/Education editions.
 
Likes: Vasudev

Lockdown

From AppGuard
Developer
Joined
Oct 24, 2016
Messages
3,100
#4
They can always keep this stuff enabled by default in the Pro/Enterprise/Education editions.
But their security division pumps out the advisories non-stop to disable everything unneeded to the Pro/Enterprise/Education Admins. So it would make a whole lot more sense to disable by default and make it all opt-in.

Anyone who has had to slug their way through scattered, half-baked AppLocker-Device Guard-TPM documentation. What a rigmarole of epic proportions. Might as well throw yourself onto concertina wire or call it death by a 1000 cuts or however you wish to describe it.