back to article Watch out for Microsoft Word DDE nasties: Now Freddie Mac menaced

Malware exploiting Microsoft Word's DDE features to infect computers has been lobbed at US government-backed mortgage biz Freddie Mac. Well-crafted phishing emails were sent to staff promising free tickets to a Halloween event at a nearby Six Flags amusement park. If employees click through a link in the message, they're …

  1. Sureo

    Bye

    Anyone dumb enough to click through security warnings to conduct personal affairs on a company computer should be shown the door forthwith.

  2. a_yank_lurker Silver badge

    Re: Bye

    It is not that unusual for an employee to get an email about tickets to an event or something similar which looks legitimate at a skim. It is not like one is going to look at the email header or verify every sender in large organization, if it feels legitimate then some will respond.

    Part of the problem is DDE is an Office 'feature' that has probably outlived its usefulness by a couple of decades. But Slurp will not deprecate it in new releases as it breaks backwards compatibility even if it is security risk.

  3. Lysenko Silver badge

    Re: Bye

    It's not that unusual to encounter road signs when driving, but some people are just in a hurry to get on with their day and pay little attention to them.

    So, if there's a clearly signposted side road and some lazy twit pays no attention and causes an accident, the problem is the side road? It should be removed, severely inconveniencing the residents of the small village it leads to, because some clueless morons can't be bothered to read road signs?

    I think not. What you do is prosecute the idiots and revoke their driving licenses. In a case like this, that means firing people. Not because it will rectify this specific instance of the problem rather, like many such sanctions regimes, pour encourager les autres.

  4. bombastic bob Silver badge
    Devil

    Re: Bye

    yeah, usually it's "the accountant" opening something from "the customer" or "the creditor" etc.

  5. bombastic bob Silver badge
    Coffee/keyboard

    Re: Bye

    "as it breaks backwards compatibility"

    /me accidentally ruins keyboard after doing a "spit-take"

  6. RockBurner

    Re: Bye

    I can think of several roles within an office that would legitimately be opening emails advertising special offers for trips to entertainment venues: anyone who does 'team moral' for starters. The vast majority of them (ime) are utterly clueless technologically speaking, so I'd expect this attack vector to be pretty successful.

  7. MartinBZM

    Re: Bye

    Pas devant les enfants ...

  8. Christian Berger Silver badge

    The problem is deeper

    1. Users on Windows are conditioned to always click "OK" when a popup appears. Popups appear even for completely pointless reasons. To the user they all look alike.

    2. The default way to install software on Windows is to download some file from some obscure location and then essentially execute it.

    3. Because of 2, Browsers often allow you to execute files you just downloaded right away, eliminate precious seconds in which the user could think about what they are doing.

    4. This is not limited to Windows, but there are idiots who believe that sandboxes work, even though they have been proven otherwise countless times. Those people insist on turing complete languages even in places where they are not essential. The results are websites that require javascript, or companies requiring you to install an app to get to their services.

  9. LDS Silver badge

    DDE is a Windows feature - not an Office one

    For example, even when an application is started initial data can be passed through DDE, instead of the command line.

    https://msdn.microsoft.com/en-us/library/windows/desktop/hh127429(v=vs.85).aspx

    https://msdn.microsoft.com/en-us/library/bb165967.aspx

    Removing it could really make a lot of older applications stop working correctly.

    Because Windows users usually pay for software, it's not nice to have a new release suddenly create problem to older software. Especially big customers may be really upset.

  10. LDS Silver badge

    "is to download some file from some obscure location"

    Don't know which your software suppliers are, but mine don't have "wharez" in their name....

  11. Christian Berger Silver badge

    Re: DDE is a Windows feature - not an Office one

    Well DDE is one of several simmilar features (because Microsoft just loves reinventing features). OLE Automation is, as far as I know, distinct from it.

    And of course there's probably still lots of software around which is vulnerable to that timer callback pointer problem, where an external message can include a callback pointer which will be called.

    In short, there are no security boundaries between different programs running under the same user.

  12. Fatman
    Joke

    Re: Bye

    <quote>Anyone dumb enough to click through security warnings to conduct personal affairs on a company computer should be shown the door forthwith taken up to the roof, and by the use of a trebuchet, sent on a new career trajectory.</quote>

    There!

    FTFY!!!

  13. Anonymous Coward
    Anonymous Coward

    Re: Bye

    Agreed. The organization, in which I work, employs thousands of people, so the whole range of computer/security knowledge. I get hundreds of emails a day with something like 10 to 40 requiring a response. Thankfully, I can filter most of my emails to folders other than my inbox and if not specifically asked to act upon them they hit the void after they're a couple of weeks old.

    I'd suggest that under the right stress/work pressure anyone could mistaken click through a warning like that. Especially, if one thought there be a second if there were further issues.

  14. 404 Silver badge

    Hehehehehe....

    "whizzbang space-age technospeak jargon-pest"

    Good one!

  15. Herby Silver badge
    Joke

    Security warnings??

    Isn't that the Windows Boot screen. There is no 'OK' there.

    Maybe this isn't a joke after all.

  16. fobobob

    Dinosaur Dinosaur Evolution! When trying to interface a utility with a crusty old piece of software, I wound up opting to use SendMessage() and send data 1 character at a time as wParam. Passed over it mainly due to the odds of.. well, this sort of thing. COM/OLE stuff has worked for every other case I might have had a reason to consider it.

  17. 9Rune5

    I thought OLE was built upon DDE.

    And I thought what the article described (embedding an excel spreadsheet in a word doc) was the domain of OLE. DDE allows data to be exchanged, but OLE (Object Linking and Embedding or something like that) was the way to go if you wanted to interact with objects from other apps.

    Thankfully... That was a long time ago and is now mostly hidden away from today's developers.

  18. TRT Silver badge

    pivoting through Microsoft Excel

    I see what you did there.

  19. Korev Silver badge
    Coat

    Re: pivoting through Microsoft Excel

    It's good that they can table these puns

  20. Korev Silver badge
    Coat

    Re: pivoting through Microsoft Excel

    They should probably spend some time in a cell for it though...

  21. Timmy B Silver badge

    Just Seems Obvious...

    DDE is something I can't see being used very much bu anyone. So turn it off by default and then when something wants to use it alert the user that it will need to be installed and what that may mean. I suspect, though, that somewhere internally Office is using it and that's the real reason it can't be removed.

  22. Anonymous Coward
    Anonymous Coward

    WONTFIX

    There's always one (or often, sadly many more) in an organisation.

    Who refuses to fix something that really is a massive problem (never trust users auto pilot clicking a few boxes as meaningful)

    A non IT example, lots of fire engines were called to a lab recently as smoke billowing out.... (and so just in case big response as coudld potentially be all sorts of major nastiness in lab fire)

    Turned out cause was plastic ware put in heating oven (these get v. hot, so plastic combusted, lots & lots of smoke but fire contained to inside oven as various fire defence systems present in lab).

    On the door of said oven was a big sign that explicitly said NOT to put plastic ware in the oven....

    So, when you cannot rely on someone in a hurry to read huge red warning text in front of them, expecting informed consent on a mundane looking tickbox on a PC is fantasy land

    AC to reduce chance of exact people involved being revealed (I'm not the smoky culprit I should add!)

  23. David Roberts Silver badge
    Trollface

    Am I the only one.......

    ......who would have launched the photon torpedoes?

    Because, well, security, meh, but, photon torpedoes!!!

  24. Version 1.0 Silver badge

    Kill them all!

    This is why I strip all Microsoft documents (and a great many other) attachment file-types at the mail server - the email is allowed through but the document is removed. It's a minor inconvenience as the users can go to another place and retrieve the complete email if they really need it but it makes everyone think before they open those malware gifts that arrive every day.

    paymentdetails.docx = paymentdetails.pdf.js = paymentdetails.iso = paymentdetails.doc.html

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018