[SingCERT] Advisory on Microsoft Office Dynamic Data Exchange Attacks

Published on Thursday, 02 November 2017 10:32

Background

SingCERT is aware of reports of hackers leveraging the built-in feature of Microsoft Office known as Dynamic Data Exchange (DDE) protocol for malicious purpose.
 
Affected Products

All Microsoft Office applications including Outlook are known to be affected. The DDE attack can be embedded inside a tainted Microsoft Office document, an Outlook email or a calendar invite without requiring macros to be enabled.
 
Impact

A successful DDE attack allows the hacker to perform malicious code execution on a victim's computer. The hacker can infect the computer with malware and control it remotely to perform a variety of malicious tasks.
 
Recommendations

The DDE attack requires user interaction to succeed. Hence SingCERT recommends that users take the following precautionary measures:
  1. Do not open any Microsoft Office attachments from unfamiliar sources.

  2. If you encounter a warning dialog in Microsoft Office informing you that "This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?" Click “No”. This will stop a DDE attack from running.

  3. If you click “Yes” at the first dialog, you will see a second dialog warning that a command is about to be run (the text in parenthesis and the program names referenced at the end will vary). Again, clicking “No” will stop the attack.

  4. Lastly, users can also consider disabling the “Update automatic links at open” option in Microsoft Office i.e. in Microsoft Word, Open Word → Select File → Options → Advanced, scroll down to General and then uncheck "Update Automatic links at Open."
References

https://thehackernews.com/2017/10/ms-office-dde-malware-exploit.html

https://thehackernews.com/2017/10/ms-office-dde-malware.html

https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/