Watch out for Microsoft Word DDE nasties: Now Freddie Mac menaced Malware exploiting Microsoft Word's DDE features to infect computers has been lobbed at US government-backed mortgage biz Freddie Mac. Well-crafted phishing emails were sent to staff promising free tickets to a Halloween event at a nearby Six Flags amusement park. If employees click through a link in the message, they're …
It is not that unusual for an employee to get an email about tickets to an event or something similar which looks legitimate at a skim. It is not like one is going to look at the email header or verify every sender in large organization, if it feels legitimate then some will respond.
Part of the problem is DDE is an Office 'feature' that has probably outlived its usefulness by a couple of decades. But Slurp will not deprecate it in new releases as it breaks backwards compatibility even if it is security risk.
It's not that unusual to encounter road signs when driving, but some people are just in a hurry to get on with their day and pay little attention to them.
So, if there's a clearly signposted side road and some lazy twit pays no attention and causes an accident, the problem is the side road? It should be removed, severely inconveniencing the residents of the small village it leads to, because some clueless morons can't be bothered to read road signs?
I think not. What you do is prosecute the idiots and revoke their driving licenses. In a case like this, that means firing people. Not because it will rectify this specific instance of the problem rather, like many such sanctions regimes, pour encourager les autres.
For example, even when an application is started initial data can be passed through DDE, instead of the command line.
https://msdn.microsoft.com/en-us/library/windows/desktop/hh127429(v=vs.85).aspx
https://msdn.microsoft.com/en-us/library/bb165967.aspx
Removing it could really make a lot of older applications stop working correctly.
Because Windows users usually pay for software, it's not nice to have a new release suddenly create problem to older software. Especially big customers may be really upset.
Well DDE is one of several simmilar features (because Microsoft just loves reinventing features). OLE Automation is, as far as I know, distinct from it.
And of course there's probably still lots of software around which is vulnerable to that timer callback pointer problem, where an external message can include a callback pointer which will be called.
In short, there are no security boundaries between different programs running under the same user.
Agreed. The organization, in which I work, employs thousands of people, so the whole range of computer/security knowledge. I get hundreds of emails a day with something like 10 to 40 requiring a response. Thankfully, I can filter most of my emails to folders other than my inbox and if not specifically asked to act upon them they hit the void after they're a couple of weeks old.
I'd suggest that under the right stress/work pressure anyone could mistaken click through a warning like that. Especially, if one thought there be a second if there were further issues.
I can think of several roles within an office that would legitimately be opening emails advertising special offers for trips to entertainment venues: anyone who does 'team moral' for starters. The vast majority of them (ime) are utterly clueless technologically speaking, so I'd expect this attack vector to be pretty successful.
1. Users on Windows are conditioned to always click "OK" when a popup appears. Popups appear even for completely pointless reasons. To the user they all look alike.
2. The default way to install software on Windows is to download some file from some obscure location and then essentially execute it.
3. Because of 2, Browsers often allow you to execute files you just downloaded right away, eliminate precious seconds in which the user could think about what they are doing.
4. This is not limited to Windows, but there are idiots who believe that sandboxes work, even though they have been proven otherwise countless times. Those people insist on turing complete languages even in places where they are not essential. The results are websites that require javascript, or companies requiring you to install an app to get to their services.
Dinosaur Dinosaur Evolution! When trying to interface a utility with a crusty old piece of software, I wound up opting to use SendMessage() and send data 1 character at a time as wParam. Passed over it mainly due to the odds of.. well, this sort of thing. COM/OLE stuff has worked for every other case I might have had a reason to consider it.
I thought OLE was built upon DDE.
And I thought what the article described (embedding an excel spreadsheet in a word doc) was the domain of OLE. DDE allows data to be exchanged, but OLE (Object Linking and Embedding or something like that) was the way to go if you wanted to interact with objects from other apps.
Thankfully... That was a long time ago and is now mostly hidden away from today's developers.
DDE is something I can't see being used very much bu anyone. So turn it off by default and then when something wants to use it alert the user that it will need to be installed and what that may mean. I suspect, though, that somewhere internally Office is using it and that's the real reason it can't be removed.
There's always one (or often, sadly many more) in an organisation.
Who refuses to fix something that really is a massive problem (never trust users auto pilot clicking a few boxes as meaningful)
A non IT example, lots of fire engines were called to a lab recently as smoke billowing out.... (and so just in case big response as coudld potentially be all sorts of major nastiness in lab fire)
Turned out cause was plastic ware put in heating oven (these get v. hot, so plastic combusted, lots & lots of smoke but fire contained to inside oven as various fire defence systems present in lab).
On the door of said oven was a big sign that explicitly said NOT to put plastic ware in the oven....
So, when you cannot rely on someone in a hurry to read huge red warning text in front of them, expecting informed consent on a mundane looking tickbox on a PC is fantasy land
AC to reduce chance of exact people involved being revealed (I'm not the smoky culprit I should add!)
This is why I strip all Microsoft documents (and a great many other) attachment file-types at the mail server - the email is allowed through but the document is removed. It's a minor inconvenience as the users can go to another place and retrieve the complete email if they really need it but it makes everyone think before they open those malware gifts that arrive every day.
paymentdetails.docx = paymentdetails.pdf.js = paymentdetails.iso = paymentdetails.doc.html
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
