It’s been a busy week in the world of Microsoft Office security risks. Tuesday, the software giant released a patch for CVE-2017-11826, a remote code execution (RCE) vulnerability attackers could exploit to run malware delivered to victims via phishing attachments.
Now comes word of a zero-day vulnerability in Microsoft’s Dynamic Data Exchange (DDE) protocol — which sends messages and shares data between applications. Applications, for example, can use DDE for one-time data transfers and for continuous exchanges where apps send updates to each another as new bits are available.
Sophos researcher Mark Loman says it’s significant because attackers could exploit it to run malware without using macros. He adds:
Microsoft says DDE is legitimate feature since 1993, but since its reveal this week, many attackers are leveraging the trick to deploy remote-access Trojans (RATs).
There’s no word yet on when — or if — Microsoft will develop a patch.
For now, Sophos Intercept X customers are protected. Loman has created the following video showing how Intercept X stops attacks using the DDE zero-day:
For Office threats in general, here’s the advice we typically give:
- If you receive a Word document by email and you aren’t expecting it or don’t know the person who sent it, it’s better to leave it unopened.
- Use an anti-virus with an on-access scanner (also known as real-time protection). This can help you block malware of this type in a multi-layered defense.
- Consider stricter email gateway settings. Some staff are more exposed to malware-sending crooks than others (such as the order processing department), and may benefit from more stringent precautions, rather than being inconvenienced by them.
- Never turn off security features because an email or document says so. Documents such as invoices, courier advisories and job applications should be legible without macros enabled.
Nice writeup Bill, but why is there no blog about the current WPA2 drama, customers are asking when Sophos will release an update. Thanks!
Hi, Mike. We’ve written about it on our sister site, Naked Security, and we also released a knowledge base article:
Source of original research: https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
Consider attributing them? They did the hard part.
Hi, Michael. We have indeed credited them.