Rockford IT’s IT Security Tester, Ian Simons here gives a better insight into the latest Microsoft security issue…
“Windows provides several methods for transferring data between applications. One method is to use the Dynamic Data Exchange (DDE) protocol. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.”
This finding from 9th October 2017 on the Sensepost blog is quite interesting; despite reporting it to Microsoft late August, there has been no patch to Office to increase the alert level to the user, rather a pair of innocuous pop ups and further, Microsoft have stated that they believe the functionality to be a feature and that there will be no forthcoming patch.
The two warnings provided by Word are shown below:
Figure 1 – Initial warning triggered when DDE is detected within a word document
Figure 2 – Second warning displayed after agreeing to the first warning
The only real notice given that something untoward may be happening is examining the executable being called, a point easily missed. The command itself may trigger a download of a malicious file, which could be used to make your machine part of a bitcoin mining network, install a keylogger, install ransomware etc.
At the time this blog post was published no anti-virus or endpoint solutions listed on virustotal.com noticed or stopped the malicious file being downloaded. During testing here at Rockford, we noted that Kaspersky Endpoint Security both warned the user when attempting to open the document, but importantly also blocked the malicious script from any action.
As an IT Security expert, Ian has put together a range of blog posts:
Thanks for reading all the way to the end!
We'd love 'it' if you shared this article.