Disable Office DDEAUTO to mitigate attacks

0
289

There is a vulnerability in DDE in Office applications currently that is exploited actively in the wild. DDE, or Dynamic Data Exchange, is a feature of Microsoft Office that is designed to give applications the ability to exchange data between each other.

You can use DDE for instance to update a table in a Word document using Excel data.

The protocol is widely used, not only in Microsoft Office applications such as Word or Excel, but also in Visual Basic and many more.

What makes the vulnerability particularly worrisome is that it does not require macros. The current wave of attack uses email to distribute manipulated Office documents.

Users who run these documents get warning prompts in Office. Word for instance displays the warning “This document contains links that may refer to other files. Do you want to update this document with the data from the linked files”.

ddeauto word security

 

Most security applications detect no threat when it comes to these Office documents. While users may protect their data by selecting “no” when the prompts are displayed, you may want to add a layer of protection to this to protect systems regardless of the choices users make when they encounter these malicious documents.

Obviously, this is only an option if DDE is not required in the work environment. While it seems likely that it is not in most Home environments, companies may still use it and as such may not be able to disable the feature entirely.

Disable DDEAuto is a Registry file that is maintained on GitHub that disables the “update links” and “embedded files” functionality in Office documents when run.

It covers Word, Excel, WordMail, OneNote and Excel, and writes or edits Registry keys to add the protection. Note that you can enable the protection manually as well in Office (which sets the Registry keys to the values of the Registry file).

If you use Microsoft Word 2016 or Microsoft Excel 2016 for instance, you select Options > Advanced, and remove the checkmark from “Update automatic links at open” listed under the general group on the page that opens.

Read also:  Bitdefender 2018 changes

dde word

In Excel, you may also want to check “Ignore other applications that use Dynamic Data Exchange (DDE)”.

Group Policy

Replace the 2016 version of Excel or Word with the version installed on the machines you administrate. Note that you do need to install ther

For Excel, you find the options under Administrative Templates > Microsoft Excel 2016 > Excel Options > Advanced.

  • Ask to update automatic links
  • Ignore other applications

For Word, the options are located under Administrative Templates > Microsoft Word 2016 > Word Options > Advanced.

  • Update automatic links at Open.

Registry

Here is the list of Registry keys for Word and Excel for your convenience. Check out the GitHub page if you want to download the Registry file instead.

Note that you may need to create the values as they may not exist by default:

Word 2016

  • Path: HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0WordOptions
  • Value: DontUpdateLinks
  • Dword: 00000001
  • HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0WordOptionsWordMail
  • Value: DontUpdateLinks
  • Dword: 00000001

Word 2013

  • Path: HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0WordOptions
  • Value: DontUpdateLinks
  • Dword: 00000001
  • HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0WordOptionsWordMail
  • Value: DontUpdateLinks
  • Dword: 00000001

Word 2010

  • Path: HKEY_CURRENT_USERSoftwareMicrosoftOffice14.0WordOptions
  • Value: DontUpdateLinks
  • Dword: 00000001
  • HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0WordOptionsWordMail
  • Value: DontUpdateLinks
  • Dword: 00000001

Excel 2016

  • Path: HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0ExcelOptions
  • Value: DontUpdateLinks
  • Dword: 00000001
  • Path: HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0ExcelOptions
  • Value: DDEAllowed
  • Dword: 00000000
  • Path: HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0ExcelOptions
  • Value: DDECleaned
  • Dword: 00000001

Excel 2013

  • Path: HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0ExcelOptions
  • Value: DontUpdateLinks
  • Dword: 00000001
  • Path: HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0ExcelOptions
  • Value: DDEAllowed
  • Dword: 00000000
  • Path: HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0ExcelOptions
  • Value: DDECleaned
  • Dword: 00000001

Note: The below value reportedly does not work. I don’t have access to Excel 2013 or 2010, and could not find any information on the value.

  • Path: HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0ExcelOptions
  • Value: Options
  • Dword: 00000117

Excel 2010

  • Path: HKEY_CURRENT_USERSoftwareMicrosoftOffice14.0ExcelOptions
  • Value: DontUpdateLinks
  • Dword: 00000001
  • Path: HKEY_CURRENT_USERSoftwareMicrosoftOffice14.0ExcelOptions
  • Value: DDEAllowed
  • Dword: 00000000
  • Path: HKEY_CURRENT_USERSoftwareMicrosoftOffice14.0ExcelOptions
  • Value: DDECleaned
  • Dword: 00000001

Note: The below value reportedly does not work. I don’t have access to Excel 2013 or 2010, and could not find any information on the value.

  • Path: HKEY_CURRENT_USERSoftwareMicrosoftOffice14.0ExcelOptions
  • Value: Options
  • Dword: 00000117