Disable Office DDEAUTO to mitigate attacks

There is a vulnerability in DDE in Office applications currently that is exploited actively in the wild. DDE, or Dynamic Data Exchange, is a feature of Microsoft Office that is designed to give applications the ability to exchange data between each other.

You can use DDE for instance to update a table in a Word document using Excel data.

The protocol is widely used, not only in Microsoft Office applications such as Word or Excel, but also in Visual Basic and many more.

What makes the vulnerability particularly worrisome is that it does not require macros. The current wave of attack uses email to distribute manipulated Office documents.

Users who run these documents get warning prompts in Office. Word for instance displays the warning "This document contains links that may refer to other files. Do you want to update this document with the data from the linked files".

ddeauto word security

 

Most security applications detect no threat when it comes to these Office documents. While users may protect their data by selecting "no" when the prompts are displayed, you may want to add a layer of protection to this to protect systems regardless of the choices users make when they encounter these malicious documents.

Obviously, this is only an option if DDE is not required in the work environment. While it seems likely that it is not in most Home environments, companies may still use it and as such may not be able to disable the feature entirely.

Disable DDEAuto is a Registry file that is maintained on GitHub that disables the "update links" and "embedded files" functionality in Office documents when run.

It covers Word, Excel, WordMail, OneNote and Excel, and writes or edits Registry keys to add the protection. Note that you can enable the protection manually as well in Office (which sets the Registry keys to the values of the Registry file).

If you use Microsoft Word 2016 or Microsoft Excel 2016 for instance, you select Options > Advanced, and remove the checkmark from "Update automatic links at open" listed under the general group on the page that opens.

Read also:  Microsoft releases July 2017 Non-Security Office updates

dde word

In Excel, you may also want to check "Ignore other applications that use Dynamic Data Exchange (DDE)".

Group Policy

Replace the 2016 version of Excel or Word with the version installed on the machines you administrate. Note that you do need to install ther

For Excel, you find the options under Administrative Templates > Microsoft Excel 2016 > Excel Options > Advanced.

  • Ask to update automatic links
  • Ignore other applications

For Word, the options are located under Administrative Templates > Microsoft Word 2016 > Word Options > Advanced.

  • Update automatic links at Open.

Registry

Here is the list of Registry keys for Word and Excel for your convenience. Check out the GitHub page if you want to download the Registry file instead.

Note that you may need to create the values as they may not exist by default:

Word 2016

  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options
  • Value: DontUpdateLinks
  • Dword: 00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options\WordMail
  • Value: DontUpdateLinks
  • Dword: 00000001

Word 2013

  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options
  • Value: DontUpdateLinks
  • Dword: 00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options\WordMail
  • Value: DontUpdateLinks
  • Dword: 00000001

Word 2010

  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options
  • Value: DontUpdateLinks
  • Dword: 00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options\WordMail
  • Value: DontUpdateLinks
  • Dword: 00000001

Excel 2016

  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Options
  • Value: DontUpdateLinks
  • Dword: 00000001
  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Options
  • Value: DDEAllowed
  • Dword: 00000000
  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Options
  • Value: DDECleaned
  • Dword: 00000001

Excel 2013

  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options
  • Value: DontUpdateLinks
  • Dword: 00000001
  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options
  • Value: DDEAllowed
  • Dword: 00000000
  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options
  • Value: DDECleaned
  • Dword: 00000001

Note: The below value reportedly does not work. I don't have access to Excel 2013 or 2010, and could not find any information on the value.

  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options
  • Value: Options
  • Dword: 00000117

Excel 2010

  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options
  • Value: DontUpdateLinks
  • Dword: 00000001
  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options
  • Value: DDEAllowed
  • Dword: 00000000
  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options
  • Value: DDECleaned
  • Dword: 00000001

Note: The below value reportedly does not work. I don't have access to Excel 2013 or 2010, and could not find any information on the value.

  • Path: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options
  • Value: Options
  • Dword: 00000117
Summary
Article Name
Disable Office DDEAUTO to mitigate attacks
Description
Find out how to disable Dynamic Data Exchange in Microsoft Office applications to protect computer systems against malicious attacks exploiting DDE.
Author
Publisher
Ghacks Technology News
Logo
Advertisement
Please share this article

Facebooktwittergoogle_plusredditlinkedinmail


Filed under:


Responses to Disable Office DDEAUTO to mitigate attacks

  1. Tony October 23, 2017 at 7:40 am #

    Does this affect LibreOffice or OpenOffice?

    What about Microsoft WordPad that is included with Windows?

    • Martin Brinkmann October 23, 2017 at 7:48 am #

      LibreOffice and OpenOffice seem to support DDE as well, not sure if they are vulnerable. I don't know about WordPad.

  2. Claire October 23, 2017 at 8:20 am #

    Martin, thanks for the heads-up. How about PowerPoint?

    • Martin Brinkmann October 23, 2017 at 9:03 am #

      I'm not 100% certain, but does not PP embed from Excel or Word? So, correct me if I'm wrong, but I assume that if you close the issue in Word and Excel, it should not be an issue in PP.

  3. miloŇ° October 23, 2017 at 9:24 am #

    Path: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\OptionsValue: OptionsDword: 00000117
    not work. If you change the number to 117, do not open the excel report at all. The right number is 128 not to change!

    • Martin Brinkmann October 23, 2017 at 10:00 am #

      Thanks, I have updated the article to reflect this. Cannot test this unfortunately, and could not find information on the Registry value.

      • Anonymous October 23, 2017 at 10:48 am #

        ok.

  4. chump2010 October 23, 2017 at 9:39 am #

    With respect to Libreoffice, I believe it is as follows, to disable the updating:

    Calc:

    Tools>General>LibreOffice Calc>General

    On the right hand side, there is an option for updating (Always/On Request/Never). Click Never and then click OK.

    Writer:

    Tools>General>LibreOffice Writer>General

    There is an option for Update Links when loading on the left hand side. Click never.
    Also the automatically update the charts and fields may need to be unchecked.

    I have not fully investigated this, but I think this covers it. Could someone check please.

  5. Tom October 23, 2017 at 9:48 am #

    DDE is neither a protocol nor a feature of particular apps or programming languages. See https://en.wikipedia.org/wiki/Dynamic_Data_Exchange
    So it would be more precise to use
    "DDE, or Dynamic Data Exchange, is a feature of Windows that is designed to give applications such as Microsoft Office the ability to exchange data between each other."

    Above this, thanks for the useful information!

  6. TimH October 23, 2017 at 3:57 pm #

    Is DDE used for importing email data from Outlook (the versions that come with Office) to other email clients?

  7. X October 23, 2017 at 5:54 pm #

    Nothing new there: DDE (Dynamic Data Exchange) has been around since 1987. It has been exploited before, but it's now only becoming an increasingly-popular target for attackers.

  8. Randy Vogel October 23, 2017 at 10:26 pm #

    Why not say NO, then use the File > Info > Edit Links to Files dialog to examine where the links are sourced from?

    • martin October 24, 2017 at 10:15 am #

      Because standard users click 'yes' to everything without reading, admittedly this is a user issue not a sysadmin one but we cannot always protect against the weakest link.

  9. chump2010 October 24, 2017 at 12:52 am #

    I forgot the Options part in my description. I apologise: Tools>OPTIONS>general etc.

    https://ibb.co/fTpSVm

    • Richard Allen October 24, 2017 at 11:07 am #

      Thank you, appreciate the follow-up! Earlier, I had right away opened the options window, where I messed up is not noticing that the "Options" window, by default, opened to "LibreOffice" instead of "LibreOffice Calc" when I had Calc open. MY apologies!

      Open LibreOffice Calc - Tools/Options/click on button to the left of LibreOffice Calc/General
      Open LibreOffice Writer - Tools/Options/click on button to the left of LibreOffice Writer/General

      "Update links when opening" is by default set to "On request" for both Calc and Writer, I changed both to "Never" for now.

      https://s1.postimg.org/9339b8m5mn/Libre_Office_Calc.png

  10. Greg October 27, 2017 at 12:28 am #

    It appears the Excel option "Ignore other applications" breaks the ability to double-click an Excel spreadsheet inside of Explorer. Double-clicking an XLS file in Explorer will not open the spreadsheet in Excel when "Ignore other applications" is enabled.

    • Pat October 30, 2017 at 7:51 pm #

      Indeed, we had that problem too. The option "Ignore other applications that use Dynamic Data Exchange (DDE)" in Excel, when checked, breaks the ability to double-click an Excel spreadsheet inside of Explorer. You get the following error message if you try to double-click an Excel file while this option is checked: "An error occurred when sending commands to the program".

  11. DaveK October 27, 2017 at 3:07 am #

    Can anyone confirm if WPS Office applications are affected by this in any way.

  12. Bob Miller October 28, 2017 at 9:12 pm #

    >>If you use Microsoft Word 2016 or Microsoft Excel 2016 for instance, you select Options > Advanced, and remove the checkmark from "Update automatic links at open" listed under the general group on the page that opens.<General, I find "Ask to update automatic links:, which was already checked . . .

Leave a Reply