[German]As part of the December patchday (12/12/2017), Microsoft has also issued a Microsoft Security Advisory Notification. It addresses the security settings for Active Directory Domain Services. And it's discusses the DDE vulnerability when opening Office documents.
Advertising
Microsoft Security Advisory 4056318 (AD)
This Security Advisory Notification addresses security settings for Active Directory Domain Services. Microsoft has published a document with the title Guidance for securing AD DS account used by Azure AD Connect for directory synchronization dealing with this topic.
Executive Summary: Microsoft is releasing this security advisory to provide information regarding security settings for the AD DS (Active Directory Domain Services) account used by Azure AD Connect for directory synchronization. This advisory also provides guidance on what on-premises AD administrators can do to ensure that the account is properly secured.
– Originally posted: December 12, 2017
– Version: 1.0
Microsoft Security Advisory 4053440 (DDE)
This Security Advisory Notification addresses an issue during opening a Microsoft Office document containing Dynamic Data Exchange (DDE) fields. Microsoft released a document with the title Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields (first version was dated November 8, 2017) with some details. The document has been updated at December 12, 2017 to reflect the changes made from December 2017 security updated. I've covered the early version of this document within my blog post Microsoft's Security Advisory 4053440 (DDE vulnerability). Microsoft writes now:
Reason for Revision: Microsoft has released an update for all supported editions of Microsoft Word that allows users to set the functionality of the DDE protocol based on their environment.
For more information and to download the update, see ADV170021.
– Originally posted: November 8, 2017
– Updated: December 12, 2017
– Version: 2.0
The reason for updating this document: Microsoft has released an update (ADV170021) that addresses the ability that 'allows users to set the functionality of the DDE protocol based on their environment in all supported editions of Microsoft Word'. I've mentioned these changes within my blog post Patchday: MS Office security updates (December 12, 2017).
The Microsoft statement about 'allows users to set the functionality of the DDE protocol based on their environment' sounds great. But you should know: Microsoft's security updates for Office from December 12, 2017 simply disable DDE. If this function is needed within an environment (because applications are based on it), an administrator has the ability to allow the DDE functionality again, adding some registry settings detailed within the blog post Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields.
Similar articles:
Microsoft's Security Advisory 4053440 (DDE vulnerability)
Patchday: MS Office security updates (December 12, 2017)
Advertising
Advertising