Monday, 23 October 2017

Security Company: Microsoft Should Patch DDE Feature In Word


Microsoft has to come up with a solution to the DDE feature in Word now that cybercriminals use it . The Dynamic Data Exchange (DDE) feature of Word allows you to inject data from one document into a second document. Instead of a document, malicious code may also be linked. DDE is a legacy Inter-Process Communication (IPC) mechanism dating from 1987.


It consists of a protocol designed to exchange messages between two applications. In the case of DDE, it is further enhanced by giving access to shared memory. Microsoft Office provides an extension to allow DDE to communicate within external processes. Thus, DDE in a Word document may not only allow Excel to be invoked, but also to execute commands on the system via cmd.exe.

Security company SensePost warned Microsoft, but the software giant said it would not take any measures for the time being because DDE is considered a feature. It may be considered as a "candidate bug" in a subsequent version of Office. One possible reason for this is that users in multiple windows should be allowed to run the code called by DDE.

Security company EndGame decided to look into DDE within Word and discovered a bug in the implementation. The MSDN documentation about DDE states that the application that calls DDE must already run. However, that does not appear to be the case. Therefore, a malicious Word document via DDE can call cmd.exe and perform additional commands. According to Bill Finlayson of EndGame, Microsoft could resolve this by asking the user to start the app itself instead of doing this automatically.

Additionally, Microsoft can customize the text in the dialogs and make more security-oriented before running the requested application. Finlayson, however, refers to all attacks via macros that show that the end-user eventually clicks each window, regardless of the wording used. "The correct solution is therefore to ask the user to launch the application before they can click through the dialog, and then re-run the request." Finlayson is therefore sorry that Microsoft does not want to solve the problem, as attackers increasingly use this feature.

No comments:

Post a Comment