Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Microsoft releases a Security Advisory about the DDEAUTO fandango

    Posted on November 8th, 2017 at 13:57 woody Comment on the AskWoody Lounge

    I first wrote about the Word {DDEAUTO} field and its weird ways in “Hacker’s Guide to Word for Windows.” Yes, that was 23 years ago. {DDEAUTO} precedes Word macros, I do believe.

    Recently, some very smart folks have re-discovered the field and put it to nefarious purpose.

    @arekfurt has a great timeline.

    The speed of adoption of the DDE technique (roughly):

    -10/09: @sensepost blog post (re)discovering & validating technique
    -10/10: @GossiTheDog tweets about, fleshes out info on extensively
    -10/11: spotted in-the-wild (FIN7)
    -10/13: start of big surge in usage
    -10/25: Fancy Bear

    Those are all in 2017. The {DDEAUTO} field hasn’t changed a bit in two decades.

    Microsoft just released Security Advisory 4053440:

    Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields

    Microsoft is releasing this security advisory to provide information regarding security settings for Microsoft Office applications. This advisory provides guidance on what users can do to ensure that these applications are properly secured when processing Dynamic Data Exchange

    Deja vu, eh? Consider this post from Oct. 27:

    The big threat now is from that Wacky Wascal BadRabbit, which started with a fake Flash update on a Russian site and an ancient DDEAUTO field exploit in Word (and Excel and Outlook and OneNote) and is being used to carry Locky and other ransomware.

    The DDEAUTO exploit isn’t a bug, according to Microsoft, because you have to click through three warning dialogs before it’ll bite. (The first of which is “Enable Editing.” Sound familiar?)

    Disable DDEAUTO by following these steps from Martin Brinkmann at ghacks. Note that this is a rather draconian approach, with consequences for OneNote, Outlook and others described by Will Dormann. If you find that something breaks after you’ve clobbered DDEAUTO – most likely, an older document that no longer updates properly – you won’t have much choice but to turn DDEAUTO back on. While you’re at it, tattoo inside your eyelids: “Do NOT Enable Editing.”

    Anyway, if you (or your users) are prone to clicking on “Enable Editing,” it’d be worthwhile following the Security Advisory instructions or Martin Brinkmann’s steps to turn off DDEAUTO.

  • Office non-security patches appear with the reprise of KB 2952664 and 2976978

    Posted on November 8th, 2017 at 07:45 woody Comment on the AskWoody Lounge

    The usual bunch of Office non-security patches appeared yesterday, with a couple of surprises. Publisher 2007, which is long past end-of-life, got a patch. In addition we saw the re-launch of two widely despised Win7 and 8.1 “compatibility appraiser” updates

    Computerworld Woody on Windows.

  • Thank you for voting!

    Posted on November 8th, 2017 at 07:43 woody Comment on the AskWoody Lounge

    “Every office in a democracy counts!”

  • No, ChromeOS isn’t impervious

    Posted on November 8th, 2017 at 03:13 woody Comment on the AskWoody Lounge

    Just so you know, Google awarded a $100,000 bug bounty to an anonymous contributor for finding a security hole in a beta version of ChromeOS.

    According to Google’s release notes for the current version of ChromeOS, from two weeks ago:

    Stable Channel Update for Chrome OS / Security Fixes

    [$100,000][766253] Critical: Persistent code execution on Chrome OS. Reported by Anonymous on 2017-09-18

    It’s the kind of security hole we see a half-dozen times a month in Windows. Google caught and fixed the bug before releasing the version of ChromeOS:

    We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

    A very different mindset, yes?