Disable Office DDEAUTO to mitigate attacks
There is a vulnerability in DDE in Office applications currently that is exploited actively in the wild. DDE, or Dynamic Data Exchange, is a feature of Microsoft Office that is designed to give applications the ability to exchange data between each other.
You can use DDE for instance to update a table in a Word document using Excel data.
The protocol is widely used, not only in Microsoft Office applications such as Word or Excel, but also in Visual Basic and many more.
What makes the vulnerability particularly worrisome is that it does not require macros. The current wave of attack uses email to distribute manipulated Office documents.
Users who run these documents get warning prompts in Office. Word for instance displays the warning "This document contains links that may refer to other files. Do you want to update this document with the data from the linked files".
Most security applications detect no threat when it comes to these Office documents. While users may protect their data by selecting "no" when the prompts are displayed, you may want to add a layer of protection to this to protect systems regardless of the choices users make when they encounter these malicious documents.
Obviously, this is only an option if DDE is not required in the work environment. While it seems likely that it is not in most Home environments, companies may still use it and as such may not be able to disable the feature entirely.
Disable DDEAuto is a Registry file that is maintained on GitHub that disables the "update links" and "embedded files" functionality in Office documents when run.
It covers Word, Excel, WordMail, OneNote and Excel, and writes or edits Registry keys to add the protection. Note that you can enable the protection manually as well in Office (which sets the Registry keys to the values of the Registry file).
If you use Microsoft Word 2016 or Microsoft Excel 2016 for instance, you select Options > Advanced, and remove the checkmark from "Update automatic links at open" listed under the general group on the page that opens.
In Excel, you may also want to check "Ignore other applications that use Dynamic Data Exchange (DDE)".
Group Policy
Replace the 2016 version of Excel or Word with the version installed on the machines you administrate. Note that you do need to install ther
For Excel, you find the options under Administrative Templates > Microsoft Excel 2016 > Excel Options > Advanced.
- Ask to update automatic links
- Ignore other applications
For Word, the options are located under Administrative Templates > Microsoft Word 2016 > Word Options > Advanced.
- Update automatic links at Open.
Registry
Here is the list of Registry keys for Word and Excel for your convenience. Check out the GitHub page if you want to download the Registry file instead.
Note that you may need to create the values as they may not exist by default:
Word 2016
- Path: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options
- Value: DontUpdateLinks
- Dword: 00000001
- HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options\WordMail
- Value: DontUpdateLinks
- Dword: 00000001
Word 2013
- Path: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options
- Value: DontUpdateLinks
- Dword: 00000001
- HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options\WordMail
- Value: DontUpdateLinks
- Dword: 00000001
Word 2010
- Path: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options
- Value: DontUpdateLinks
- Dword: 00000001
- HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options\WordMail
- Value: DontUpdateLinks
- Dword: 00000001
Excel 2016
- Path: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Options
- Value: DontUpdateLinks
- Dword: 00000001
- Path: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Options
- Value: DDEAllowed
- Dword: 00000000
- Path: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Options
- Value: DDECleaned
- Dword: 00000001
Excel 2013
- Path: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options
- Value: DontUpdateLinks
- Dword: 00000001
- Path: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options
- Value: DDEAllowed
- Dword: 00000000
- Path: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options
- Value: DDECleaned
- Dword: 00000001
Note: The below value reportedly does not work. I don't have access to Excel 2013 or 2010, and could not find any information on the value.
- Path: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options
- Value: Options
- Dword: 00000117
Excel 2010
- Path: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options
- Value: DontUpdateLinks
- Dword: 00000001
- Path: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options
- Value: DDEAllowed
- Dword: 00000000
- Path: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options
- Value: DDECleaned
- Dword: 00000001
Note: The below value reportedly does not work. I don't have access to Excel 2013 or 2010, and could not find any information on the value.
- Path: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options
- Value: Options
- Dword: 00000117
Someone in the comments stated that the right value is 279 instead of 117. Try that and see if it works.
Right value for options is 279 instead of 117.
>>If you use Microsoft Word 2016 or Microsoft Excel 2016 for instance, you select Options > Advanced, and remove the checkmark from “Update automatic links at open” listed under the general group on the page that opens.<General, I find “Ask to update automatic links:, which was already checked . . .
Can anyone confirm if WPS Office applications are affected by this in any way.
It appears the Excel option “Ignore other applications” breaks the ability to double-click an Excel spreadsheet inside of Explorer. Double-clicking an XLS file in Explorer will not open the spreadsheet in Excel when “Ignore other applications” is enabled.
Indeed, we had that problem too. The option “Ignore other applications that use Dynamic Data Exchange (DDE)” in Excel, when checked, breaks the ability to double-click an Excel spreadsheet inside of Explorer. You get the following error message if you try to double-click an Excel file while this option is checked: “An error occurred when sending commands to the program”.
I forgot the Options part in my description. I apologise: Tools>OPTIONS>general etc.
https://ibb.co/fTpSVm
Thank you, appreciate the follow-up! Earlier, I had right away opened the options window, where I messed up is not noticing that the “Options” window, by default, opened to “LibreOffice” instead of “LibreOffice Calc” when I had Calc open. MY apologies!
Open LibreOffice Calc – Tools/Options/click on button to the left of LibreOffice Calc/General
Open LibreOffice Writer – Tools/Options/click on button to the left of LibreOffice Writer/General
“Update links when opening” is by default set to “On request” for both Calc and Writer, I changed both to “Never” for now.
https://s1.postimg.org/9339b8m5mn/Libre_Office_Calc.png
Why not say NO, then use the File > Info > Edit Links to Files dialog to examine where the links are sourced from?
Because standard users click ‘yes’ to everything without reading, admittedly this is a user issue not a sysadmin one but we cannot always protect against the weakest link.
Nothing new there: DDE (Dynamic Data Exchange) has been around since 1987. It has been exploited before, but it’s now only becoming an increasingly-popular target for attackers.
Is DDE used for importing email data from Outlook (the versions that come with Office) to other email clients?
DDE is neither a protocol nor a feature of particular apps or programming languages. See https://en.wikipedia.org/wiki/Dynamic_Data_Exchange
So it would be more precise to use
“DDE, or Dynamic Data Exchange, is a feature of Windows that is designed to give applications such as Microsoft Office the ability to exchange data between each other.”
Above this, thanks for the useful information!
With respect to Libreoffice, I believe it is as follows, to disable the updating:
Calc:
Tools>General>LibreOffice Calc>General
On the right hand side, there is an option for updating (Always/On Request/Never). Click Never and then click OK.
Writer:
Tools>General>LibreOffice Writer>General
There is an option for Update Links when loading on the left hand side. Click never.
Also the automatically update the charts and fields may need to be unchecked.
I have not fully investigated this, but I think this covers it. Could someone check please.
?!?!?
What version are you using? I’m on version 5.4.2.2 and your location descriptions make zero sense.
As far as I can tell DDE is a supposed spreadsheet function in LibreOffice but there are functions of DDE that do not work. So, heck if I know what’s going on. Lost and Confused! ;)
https://wiki.documentfoundation.org/Feature_Comparison:_LibreOffice_-_Microsoft_Office#Spreadsheet_applications:_LibreOffice_Calc_vs._Microsoft_Excel
DDE functions have been deprecated even prior to the existence of LibreOffice. So…?
https://ask.libreoffice.org/en/question/88900/dde-support/
Path: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\OptionsValue: OptionsDword: 00000117
not work. If you change the number to 117, do not open the excel report at all. The right number is 128 not to change!
Thanks, I have updated the article to reflect this. Cannot test this unfortunately, and could not find information on the Registry value.
ok.
Martin, thanks for the heads-up. How about PowerPoint?
I’m not 100% certain, but does not PP embed from Excel or Word? So, correct me if I’m wrong, but I assume that if you close the issue in Word and Excel, it should not be an issue in PP.
Does this affect LibreOffice or OpenOffice?
What about Microsoft WordPad that is included with Windows?
LibreOffice and OpenOffice seem to support DDE as well, not sure if they are vulnerable. I don’t know about WordPad.