Microsoft Office DDE zero-day: are you protected?

MalwareNetwork SecuritySophos ProductsSophosLabsExploitMicrosoft Office DDESophos Intercept X

Microsoft Office DDE zero-day enables attacks without using macros.

It’s been a busy week in the world of Microsoft Office security risks. Tuesday, the software giant released a patch for CVE-2017-11826, a remote code execution (RCE) vulnerability attackers could exploit to run malware delivered to victims via phishing attachments.

Now comes word of a zero-day vulnerability in Microsoft’s Dynamic Data Exchange (DDE) protocol — which sends messages and shares data between applications. Applications, for example, can use DDE for one-time data transfers and for continuous exchanges where apps send updates to each another as new bits are available.

Sophos researcher Mark Loman says it’s significant because attackers could exploit it to run malware without using macros. He adds:

Microsoft says DDE is legitimate feature since 1993, but since its reveal this week, many attackers are leveraging the trick to deploy remote-access Trojans (RATs).

There’s no word yet on when — or if — Microsoft will develop a patch.

For now, Sophos Intercept X customers are protected. Loman has created the following video showing how Intercept X stops attacks using the DDE zero-day:

For Office threats in general, here’s the advice we typically give:

  • If you receive a Word document by email and you aren’t expecting it or don’t know the person who sent it, it’s better to leave it unopened.
  • Use an anti-virus with an on-access scanner (also known as real-time protection). This can help you block malware of this type in a multi-layered defense.
  • Consider stricter email gateway settings. Some staff are more exposed to malware-sending crooks than others (such as the order processing department), and may benefit from more stringent precautions, rather than being inconvenienced by them.
  • Never turn off security features because an email or document says so. Documents such as invoices, courier advisories and job applications should be legible without macros enabled.

4 Comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s