[German]In December 2017, Microsoft released security updates for Microsoft Office to disable DDE functionality. However, the vulnerability may not be completely mitigated, because a new malware campaign addresses the DDE vulnerability.
DDE vulnerability in Word
Microsoft Office has several methods for transferring data between applications. The DDE protocol is a collection of messages and policies. It enables messages to be sent between applications, share data, and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfer and continuous exchange, where applications send each other updates as soon as new data becomes available.
There is a vulnerability in the Microsoft Office modules that support the DDE interface (see my article Microsoft’s Security Advisory 4053440 (DDE vulnerability)). There has been malware campaigns, that exploit a DDE vulnerability in Microsoft Word to distribute malware. This forum entry documents this attack path. It is sufficient to open a compromised Word document file to download and run the malware via the DDE interface.
A security advisory and a security patch for DDE
The vulnerability is actively exploited by the Russian hacker group Fancy Bear in malware campaigns. Microsoft was therefore forced to publish an advisory to switch off the DDE functionality. I had reported about it in the blog article Microsoft’s Security Advisory 4053440 (DDE vulnerability)).
As part of the December 2017 patchday Microsoft then released security updates for Word 2017 (KB4011575) to Word 2007, which are supposed to disable the DDE functionality (see the word updates in the blog article Patchday: MS Office security updates (December 12, 2017)).
DDE-Exploit not completely closed?
I thought that theDDE vulnerability is closed. The my MVP colleagues pointed me to the article DDE exploits still happening despite Microsoft updates to stop them from December 25, 2017. The author of this post wrote, that he still observed malware campaigns addressing the DDE exploit.
These attacks differ slightly from previous versions and Word documents contain macros with a very simple, base64-encoded PowerShell script that contains the DDE exploit. When using an Office malware scanner, the macro is only displayed with a DDE Auto command and not with a separate embedded DDE object, as was the case in previous versions.
The original e-mail was uploaded to the registration system of myonlinesecurity.co.uk on December 22, 2017. The author of the blog post has tried the links in the relevant e-mail several times in the last few days. However, there was always a timeout as an answer. This was true even for numerous proxy servers that he tested worldwide (to exclude a region-dependent trigger). On December 25, 2017 he actually received an answer to the clicked link. A malicious Word document with a DDE exploit in the macro was downloaded from the target page.
The mail’s original uploader thought it was a phishing email because it didn’t receive a payload either. The e-mail pretends to be from Ebay and asks the recipient to download an invoice.
Unfortunately, the websites contacted by the malicious PowerShell script returns a 404 response at December 25. The security researcher has therefore not been able to find out what the ultimate payload looks like. The security researcher has therefore published the article as a general information post on the use of DDE in macros. It seems that someone behind the scenes is busy setting up a new malware campaign for a DDE exploit that still works with patched Word versions. Administrators in companies should therefore keep an eye on the issue. Further details and explanations including screenshots of the e-mails can be found here.