Disable Office DDEAUTO to mitigate attacks

Martin Brinkmann
Oct 23, 2017
Updated • Jun 3, 2019
Microsoft Office, Security
|
23

There is a vulnerability in DDE in Office applications currently that is exploited actively in the wild. DDE, or Dynamic Data Exchange, is a feature of Microsoft Office that is designed to give applications the ability to exchange data between each other.

You can use DDE for instance to update a table in a Word document using Excel data.

The protocol is widely used, not only in Microsoft Office applications such as Word or Excel, but also in Visual Basic and many more.

What makes the vulnerability particularly worrisome is that it does not require macros. The current wave of attack uses email to distribute manipulated Office documents.

Users who run these documents get warning prompts in Office. Word for instance displays the warning "This document contains links that may refer to other files. Do you want to update this document with the data from the linked files".

ddeauto word security

 

Most security applications detect no threat when it comes to these Office documents. While users may protect their data by selecting "no" when the prompts are displayed, you may want to add a layer of protection to this to protect systems regardless of the choices users make when they encounter these malicious documents.

Obviously, this is only an option if DDE is not required in the work environment. While it seems likely that it is not in most Home environments, companies may still use it and as such may not be able to disable the feature entirely.

Disable DDEAuto is a Registry file that is maintained on GitHub that disables the "update links" and "embedded files" functionality in Office documents when run.

It covers Word, Excel, WordMail, OneNote and Excel, and writes or edits Registry keys to add the protection. Note that you can enable the protection manually as well in Office (which sets the Registry keys to the values of the Registry file).

If you use Microsoft Word 2016 or Microsoft Excel 2016 for instance, you select Options > Advanced, and remove the checkmark from "Update automatic links at open" listed under the general group on the page that opens.

dde word

In Excel, you may also want to check "Ignore other applications that use Dynamic Data Exchange (DDE)".

Group Policy

Replace the 2016 version of Excel or Word with the version installed on the machines you administrate. Note that you do need to install ther

For Excel, you find the options under Administrative Templates > Microsoft Excel 2016 > Excel Options > Advanced.

  • Ask to update automatic links
  • Ignore other applications

For Word, the options are located under Administrative Templates > Microsoft Word 2016 > Word Options > Advanced.

  • Update automatic links at Open.

Registry

Here is the list of Registry keys for Word and Excel for your convenience. Check out the GitHub page if you want to download the Registry file instead.

Note that you may need to create the values as they may not exist by default:

Word 2016

  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options
  • Value: DontUpdateLinks
  • Dword: 00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options\WordMail
  • Value: DontUpdateLinks
  • Dword: 00000001

Word 2013

  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options
  • Value: DontUpdateLinks
  • Dword: 00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options\WordMail
  • Value: DontUpdateLinks
  • Dword: 00000001

Word 2010

  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options
  • Value: DontUpdateLinks
  • Dword: 00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options\WordMail
  • Value: DontUpdateLinks
  • Dword: 00000001

Excel 2016

  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Options
  • Value: DontUpdateLinks
  • Dword: 00000001
  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Options
  • Value: DDEAllowed
  • Dword: 00000000
  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Options
  • Value: DDECleaned
  • Dword: 00000001

Excel 2013

  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options
  • Value: DontUpdateLinks
  • Dword: 00000001
  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options
  • Value: DDEAllowed
  • Dword: 00000000
  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options
  • Value: DDECleaned
  • Dword: 00000001

Note: The below value reportedly does not work. I don't have access to Excel 2013 or 2010, and could not find any information on the value.

  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options
  • Value: Options
  • Dword: 00000117

Excel 2010

  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options
  • Value: DontUpdateLinks
  • Dword: 00000001
  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options
  • Value: DDEAllowed
  • Dword: 00000000
  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options
  • Value: DDECleaned
  • Dword: 00000001

Note: The below value reportedly does not work. I don't have access to Excel 2013 or 2010, and could not find any information on the value.

  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options
  • Value: Options
  • Dword: 00000117

Someone in the comments stated that the right value is 279 instead of 117. Try that and see if it works.

Summary
Disable Office DDEAUTO to mitigate attacks
Article Name
Disable Office DDEAUTO to mitigate attacks
Description
Find out how to disable Dynamic Data Exchange in Microsoft Office applications to protect computer systems against malicious attacks exploiting DDE.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Charly said on June 2, 2019 at 11:21 pm
    Reply

    Right value for options is 279 instead of 117.

  2. Bob Miller said on October 28, 2017 at 9:12 pm
    Reply

    >>If you use Microsoft Word 2016 or Microsoft Excel 2016 for instance, you select Options > Advanced, and remove the checkmark from “Update automatic links at open” listed under the general group on the page that opens.<General, I find “Ask to update automatic links:, which was already checked . . .

  3. DaveK said on October 27, 2017 at 3:07 am
    Reply

    Can anyone confirm if WPS Office applications are affected by this in any way.

  4. Greg said on October 27, 2017 at 12:28 am
    Reply

    It appears the Excel option “Ignore other applications” breaks the ability to double-click an Excel spreadsheet inside of Explorer. Double-clicking an XLS file in Explorer will not open the spreadsheet in Excel when “Ignore other applications” is enabled.

    1. Pat said on October 30, 2017 at 7:51 pm
      Reply

      Indeed, we had that problem too. The option “Ignore other applications that use Dynamic Data Exchange (DDE)” in Excel, when checked, breaks the ability to double-click an Excel spreadsheet inside of Explorer. You get the following error message if you try to double-click an Excel file while this option is checked: “An error occurred when sending commands to the program”.

  5. chump2010 said on October 24, 2017 at 12:52 am
    Reply

    I forgot the Options part in my description. I apologise: Tools>OPTIONS>general etc.

    https://ibb.co/fTpSVm

    1. Richard Allen said on October 24, 2017 at 11:07 am
      Reply

      Thank you, appreciate the follow-up! Earlier, I had right away opened the options window, where I messed up is not noticing that the “Options” window, by default, opened to “LibreOffice” instead of “LibreOffice Calc” when I had Calc open. MY apologies!

      Open LibreOffice Calc – Tools/Options/click on button to the left of LibreOffice Calc/General
      Open LibreOffice Writer – Tools/Options/click on button to the left of LibreOffice Writer/General

      “Update links when opening” is by default set to “On request” for both Calc and Writer, I changed both to “Never” for now.

      https://s1.postimg.org/9339b8m5mn/Libre_Office_Calc.png

  6. Randy Vogel said on October 23, 2017 at 10:26 pm
    Reply

    Why not say NO, then use the File > Info > Edit Links to Files dialog to examine where the links are sourced from?

    1. martin said on October 24, 2017 at 10:15 am
      Reply

      Because standard users click ‘yes’ to everything without reading, admittedly this is a user issue not a sysadmin one but we cannot always protect against the weakest link.

  7. X said on October 23, 2017 at 5:54 pm
    Reply

    Nothing new there: DDE (Dynamic Data Exchange) has been around since 1987. It has been exploited before, but it’s now only becoming an increasingly-popular target for attackers.

  8. TimH said on October 23, 2017 at 3:57 pm
    Reply

    Is DDE used for importing email data from Outlook (the versions that come with Office) to other email clients?

  9. Tom said on October 23, 2017 at 9:48 am
    Reply

    DDE is neither a protocol nor a feature of particular apps or programming languages. See https://en.wikipedia.org/wiki/Dynamic_Data_Exchange
    So it would be more precise to use
    “DDE, or Dynamic Data Exchange, is a feature of Windows that is designed to give applications such as Microsoft Office the ability to exchange data between each other.”

    Above this, thanks for the useful information!

  10. chump2010 said on October 23, 2017 at 9:39 am
    Reply

    With respect to Libreoffice, I believe it is as follows, to disable the updating:

    Calc:

    Tools>General>LibreOffice Calc>General

    On the right hand side, there is an option for updating (Always/On Request/Never). Click Never and then click OK.

    Writer:

    Tools>General>LibreOffice Writer>General

    There is an option for Update Links when loading on the left hand side. Click never.
    Also the automatically update the charts and fields may need to be unchecked.

    I have not fully investigated this, but I think this covers it. Could someone check please.

    1. Richard Allen said on October 23, 2017 at 1:49 pm
      Reply

      ?!?!?
      What version are you using? I’m on version 5.4.2.2 and your location descriptions make zero sense.

      1. Richard Allen said on October 23, 2017 at 4:25 pm
        Reply

        As far as I can tell DDE is a supposed spreadsheet function in LibreOffice but there are functions of DDE that do not work. So, heck if I know what’s going on. Lost and Confused! ;)

        https://wiki.documentfoundation.org/Feature_Comparison:_LibreOffice_-_Microsoft_Office#Spreadsheet_applications:_LibreOffice_Calc_vs._Microsoft_Excel

      2. Richard Allen said on October 23, 2017 at 2:09 pm
        Reply

        DDE functions have been deprecated even prior to the existence of LibreOffice. So…?
        https://ask.libreoffice.org/en/question/88900/dde-support/

  11. miloš said on October 23, 2017 at 9:24 am
    Reply

    Path: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\OptionsValue: OptionsDword: 00000117
    not work. If you change the number to 117, do not open the excel report at all. The right number is 128 not to change!

    1. Martin Brinkmann said on October 23, 2017 at 10:00 am
      Reply

      Thanks, I have updated the article to reflect this. Cannot test this unfortunately, and could not find information on the Registry value.

      1. Anonymous said on October 23, 2017 at 10:48 am
        Reply

        ok.

  12. Claire said on October 23, 2017 at 8:20 am
    Reply

    Martin, thanks for the heads-up. How about PowerPoint?

    1. Martin Brinkmann said on October 23, 2017 at 9:03 am
      Reply

      I’m not 100% certain, but does not PP embed from Excel or Word? So, correct me if I’m wrong, but I assume that if you close the issue in Word and Excel, it should not be an issue in PP.

  13. Tony said on October 23, 2017 at 7:40 am
    Reply

    Does this affect LibreOffice or OpenOffice?

    What about Microsoft WordPad that is included with Windows?

    1. Martin Brinkmann said on October 23, 2017 at 7:48 am
      Reply

      LibreOffice and OpenOffice seem to support DDE as well, not sure if they are vulnerable. I don’t know about WordPad.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.