Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Microsoft releases a Security Advisory about the DDEAUTO fandango

    Home Forums AskWoody blog Microsoft releases a Security Advisory about the DDEAUTO fandango

    This topic contains 12 replies, has 9 voices, and was last updated by  woody 6 days, 17 hours ago.

    • Author
      Posts
    • #144758 Reply

      woody
      Da Boss

      I first wrote about the Word {DDEAUTO} field and its weird ways in “Hacker’s Guide to Word for Windows.” Yes, that was 23 years ago. {DDEAUTO} precede
      [See the full post at: Microsoft releases a Security Advisory about the DDEAUTO fandango]

      2 users thanked author for this post.
    • #144771 Reply

      Purg2
      AskWoody Lounger

      It would seem that I have a version of Office that isn’t covered by this security advisory.

      Office Starter v14 (Excel & Word only)
      See image 01 of my image gallery.
      https://imgur.com/a/JftRQ

      Image 02 shows that the trust center settings are missing.

      Image 03 shows that the registry key is also missing.

      A few days ago I had unchecked the box in options that says “update automatic links at open.”  However, it’s still a bit unclear methinks.

      This leads me to believe that the starter version of office is either not affected or could still be vulnerable due to the lack of security settings.

      Maybe DDEAUTO only applies to enterprise or some other version that is not for home, scratches head.

      Win 8.1 Group B

      1 user thanked author for this post.
    • #144781 Reply

      alpha128
      AskWoody Lounger

      I disabled DDEAUTO in Word, on both my work and home machines, by following Martin Brinkmann’s steps.  There were no apparent ill effects.

      I did disable DDEAUTO in Excel, but I re-enabled it right after I discovered that you can’t launch Excel files from Windows Explorer without this turned on.

       

      1 user thanked author for this post.
      • #144823 Reply

        Noel Carboni
        AskWoody MVP

        I did disable DDEAUTO in Excel, but I re-enabled it right after I discovered that you can’t launch Excel files from Windows Explorer without this turned on.

        I’ve found that you CAN do that IF you also reconfigure the command lines that start Excel as a result of double-clicking a .xls file in Explorer. For me, with Office 2010, this also restores the ability to have spreadsheets in totally separate windows – i.e., just like in the good ol’ days when Windows really did windows. For me, with multiple monitors, I find this a necessity.

        Windows Update reverts this functionality, though, whenever an Office update is applied, so I reapply the following registry file every time after an update. Note that I strongly recommend researching and UNDERSTANDING what this does before applying it. Note that this is specific to Office 2010!

        Windows Registry Editor Version 5.00
        
        [HKEY_CLASSES_ROOT\Excel.CSV\shell\Edit\command]
        @="\"C:\\Program Files\\Microsoft Office\\Office14\\EXCEL.EXE\" /e \"%1\""
        "command"=-
        
        [HKEY_CLASSES_ROOT\Excel.CSV\shell\Open\command]
        @="\"C:\\Program Files\\Microsoft Office\\Office14\\EXCEL.EXE\" /e \"%1\""
        "command"=-
        
        [-HKEY_CLASSES_ROOT\Excel.CSV\shell\Open\ddeexec]
        
        
        
        [HKEY_CLASSES_ROOT\Excel.Sheet.8\shell\Edit\command]
        @="\"C:\\Program Files\\Microsoft Office\\Office14\\EXCEL.EXE\" /e \"%1\""
        "command"=-
        
        [HKEY_CLASSES_ROOT\Excel.Sheet.8\shell\Open\command]
        @="\"C:\\Program Files\\Microsoft Office\\Office14\\EXCEL.EXE\" /e \"%1\""
        "command"=-
        
        [-HKEY_CLASSES_ROOT\Excel.Sheet.8\shell\Open\ddeexec]
        
        
        
        [HKEY_CLASSES_ROOT\Excel.Sheet.12\shell\Edit\command]
        @="\"C:\\Program Files\\Microsoft Office\\Office14\\EXCEL.EXE\" /e \"%1\""
        "command"=-
        
        [HKEY_CLASSES_ROOT\Excel.Sheet.12\shell\Open\command]
        @="\"C:\\Program Files\\Microsoft Office\\Office14\\EXCEL.EXE\" /e \"%1\""
        "command"=-
        
        [-HKEY_CLASSES_ROOT\Excel.Sheet.12\shell\Open\ddeexec]
        
        
        
        [HKEY_CLASSES_ROOT\Excel.OpenDocumentSpreadsheet.12\shell\Edit\command]
        @="\"C:\\Program Files\\Microsoft Office\\Office14\\EXCEL.EXE\" /e \"%1\""
        "command"=-
        
        
        
        [HKEY_CLASSES_ROOT\Word.Document.8\shell\Open\command]
        @="\"C:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""
        "command"=-
        
        [HKEY_CLASSES_ROOT\Word.Document.12\shell\Open\command]
        @="\"C:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""
        "command"=-
        

        -Noel

        5 users thanked author for this post.
        • #144828 Reply

          alpha128
          AskWoody Lounger

          Thanks for the information Noel.  But I’m running Office 2013 and either way your approach is more bother than I want to deal with.

          Since I normally have libraries disabled, I already feel like I’m playing Russian roulette every time I install a Windows roll-up.

           

           

          1 user thanked author for this post.
        • #144856 Reply

          AlexEiffel
          AskWoody Lounger

          Heavy Excel users might want to note the following.

          I am not sure if it applies to your solution Noel, but when I do open documents in Excel 2010 in separate Windows, copy-past behaves differently and is quite annoying. I have to paste as csv or else I get something that looks more like a picture than a bunch of data. The way I open Excel files in different windows is open one file by double-clicking on it, open Excel (blank), open the second file through the open menu in the newly opened Excel blank file.

          For this reason, I only open Excel files in different windows when I really need a side-by-side comparison of both files.

          1 user thanked author for this post.
        • #144859 Reply

          MrJimPhelps
          AskWoody MVP

          For me, with Office 2010, this also restores the ability to have spreadsheets in totally separate windows – i.e., just like in the good ol’ days when Windows really did windows. For me, with multiple monitors, I find this a necessity.

          Excel 2016 restores the ability to open spreadsheets in two separate windows. The only caveat is that if your Excel window is maximized, the second spreadsheet will open on top of the first spreadsheet. But the windows aren’t fused together like they are in Excel 2010; you can easily separate them simply by moving one of them to another monitor.

          This was my only complaint about Excel 2010.

          1 user thanked author for this post.
          • #145216 Reply

            Noel Carboni
            AskWoody MVP

            Typical Microsoft. Restore a critical feature or function that an older version had and which was arbitrarily removed (or just made non-default) and call it an incentive to upgrade to the newest version.

            They are clearly just managing their old code base into the ground. I guess they just want to get out of the software business, presumably because they’re doing so well making hardware. LOL

            -Noel

    • #144837 Reply

      anonymous

      Perhaps worth noting that there exist 3rd party micropatches for Office that completely eliminate the DDE-related threat, even if attacker tricks the user to manually update a DDE field: https://0patch.blogspot.com/2017/10/0patching-office-dde-ddeauto.html

    • #144865 Reply

      Honeyko
      AskWoody Lounger

      In my opinion you ought to go to Defcon 1, as 1709 is still a BSOD-generator three weeks after roll-out. I have an external USB “legacy” (MBR) drive that I keep in order to have a “master” external for use in troubleshooting systems while on-the-go.

      I updated this drive on Nov. 7 after it had been sitting on a shelf for a month (so this was not a case of “old” launch-day updates sitting pending for weeks), and immediately noticed that it would no longer boot some systems (such as an HP Envy laptop) while having no issues with others (an HP Pavilion mini-tower of the same vintage). Weirdly, a clone of the drive to the laptop’s internal drive resulted in the OS working, but it refuses to boot externally. (This is not a drive or cabling issue.)

      Interestingly, 1703 did not appear to be problematic, as least insofar as external booting went.

      Edit to remove HTML

      1 user thanked author for this post.
    • #145151 Reply

      NetDef
      AskWoody Lounger

      Hope you don’t mind:  I used this AskWoody article as one of my credited sources for something I wrote up today.

      https://networkdefend.blogspot.com/2017/11/ddeauto-exploit-mitigation-for.html

      • #145241 Reply

        woody
        Da Boss

        Good stuff!

        It’s going to be quite an eye-opener for a lot of people.

        1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Microsoft releases a Security Advisory about the DDEAUTO fandango

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.