Microsoft releases a Security Advisory about the DDEAUTO fandango

Topic

New Reply

I first wrote about the Word {DDEAUTO} field and its weird ways in “Hacker’s Guide to Word for Windows.” Yes, that was 23 years ago. {DDEAUTO} precede
[See the full post at: Microsoft releases a Security Advisory about the DDEAUTO fandango]

2 users thanked author for this post.

Elly, MrBrian

Reply | Quote

Replies

It would seem that I have a version of Office that isn’t covered by this security advisory.

Office Starter v14 (Excel & Word only)
See image 01 of my image gallery.
https://imgur.com/a/JftRQ

Image 02 shows that the trust center settings are missing.

Image 03 shows that the registry key is also missing.

A few days ago I had unchecked the box in options that says “update automatic links at open.”  However, it’s still a bit unclear methinks.

This leads me to believe that the starter version of office is either not affected or could still be vulnerable due to the lack of security settings.

Maybe DDEAUTO only applies to enterprise or some other version that is not for home, scratches head.

Win 8.1 (home & pro) Group B, Linux Dabbler

1 user thanked author for this post.

samak

Reply | Quote

Word Starter 2010 doesn’t support many of the fields that are in the “real” Word.

See https://support.office.com/en-us/article/Word-features-that-are-not-fully-supported-in-Word-Starter-8467554a-e9d6-4404-a599-f036b29deed8 for details.

It isn’t clear to me if this means {DDEAUTO} fields in existing documents will fire when opened in Word Starter.

1 user thanked author for this post.

Purg2

Reply | Quote

I disabled DDEAUTO in Word, on both my work and home machines, by following Martin Brinkmann’s steps.  There were no apparent ill effects.

I did disable DDEAUTO in Excel, but I re-enabled it right after I discovered that you can’t launch Excel files from Windows Explorer without this turned on.

 

1 user thanked author for this post.

samak

Reply | Quote

alpha128 wrote:

I did disable DDEAUTO in Excel, but I re-enabled it right after I discovered that you can’t launch Excel files from Windows Explorer without this turned on.

I’ve found that you CAN do that IF you also reconfigure the command lines that start Excel as a result of double-clicking a .xls file in Explorer. For me, with Office 2010, this also restores the ability to have spreadsheets in totally separate windows – i.e., just like in the good ol’ days when Windows really did windows. For me, with multiple monitors, I find this a necessity.

Windows Update reverts this functionality, though, whenever an Office update is applied, so I reapply the following registry file every time after an update. Note that I strongly recommend researching and UNDERSTANDING what this does before applying it. Note that this is specific to Office 2010!

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Excel.CSV\shell\Edit\command]
@="\"C:\\Program Files\\Microsoft Office\\Office14\\EXCEL.EXE\" /e \"%1\""
"command"=-

[HKEY_CLASSES_ROOT\Excel.CSV\shell\Open\command]
@="\"C:\\Program Files\\Microsoft Office\\Office14\\EXCEL.EXE\" /e \"%1\""
"command"=-

[-HKEY_CLASSES_ROOT\Excel.CSV\shell\Open\ddeexec]



[HKEY_CLASSES_ROOT\Excel.Sheet.8\shell\Edit\command]
@="\"C:\\Program Files\\Microsoft Office\\Office14\\EXCEL.EXE\" /e \"%1\""
"command"=-

[HKEY_CLASSES_ROOT\Excel.Sheet.8\shell\Open\command]
@="\"C:\\Program Files\\Microsoft Office\\Office14\\EXCEL.EXE\" /e \"%1\""
"command"=-

[-HKEY_CLASSES_ROOT\Excel.Sheet.8\shell\Open\ddeexec]



[HKEY_CLASSES_ROOT\Excel.Sheet.12\shell\Edit\command]
@="\"C:\\Program Files\\Microsoft Office\\Office14\\EXCEL.EXE\" /e \"%1\""
"command"=-

[HKEY_CLASSES_ROOT\Excel.Sheet.12\shell\Open\command]
@="\"C:\\Program Files\\Microsoft Office\\Office14\\EXCEL.EXE\" /e \"%1\""
"command"=-

[-HKEY_CLASSES_ROOT\Excel.Sheet.12\shell\Open\ddeexec]



[HKEY_CLASSES_ROOT\Excel.OpenDocumentSpreadsheet.12\shell\Edit\command]
@="\"C:\\Program Files\\Microsoft Office\\Office14\\EXCEL.EXE\" /e \"%1\""
"command"=-



[HKEY_CLASSES_ROOT\Word.Document.8\shell\Open\command]
@="\"C:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""
"command"=-

[HKEY_CLASSES_ROOT\Word.Document.12\shell\Open\command]
@="\"C:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""
"command"=-

-Noel

5 users thanked author for this post.

NetDef, woody, AlexEiffel, Jan K., DAVe3283

Reply | Quote

Thanks for the information Noel.  But I’m running Office 2013 and either way your approach is more bother than I want to deal with.

Since I normally have libraries disabled, I already feel like I’m playing Russian roulette every time I install a Windows roll-up.

 

 

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Heavy Excel users might want to note the following.

I am not sure if it applies to your solution Noel, but when I do open documents in Excel 2010 in separate Windows, copy-past behaves differently and is quite annoying. I have to paste as csv or else I get something that looks more like a picture than a bunch of data. The way I open Excel files in different windows is open one file by double-clicking on it, open Excel (blank), open the second file through the open menu in the newly opened Excel blank file.

For this reason, I only open Excel files in different windows when I really need a side-by-side comparison of both files.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Noel Carboni wrote:

For me, with Office 2010, this also restores the ability to have spreadsheets in totally separate windows – i.e., just like in the good ol’ days when Windows really did windows. For me, with multiple monitors, I find this a necessity.

Excel 2016 restores the ability to open spreadsheets in two separate windows. The only caveat is that if your Excel window is maximized, the second spreadsheet will open on top of the first spreadsheet. But the windows aren’t fused together like they are in Excel 2010; you can easily separate them simply by moving one of them to another monitor.

This was my only complaint about Excel 2010.

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Typical Microsoft. Restore a critical feature or function that an older version had and which was arbitrarily removed (or just made non-default) and call it an incentive to upgrade to the newest version.

They are clearly just managing their old code base into the ground. I guess they just want to get out of the software business, presumably because they’re doing so well making hardware. LOL

-Noel

Reply | Quote

Perhaps worth noting that there exist 3rd party micropatches for Office that completely eliminate the DDE-related threat, even if attacker tricks the user to manually update a DDE field: https://0patch.blogspot.com/2017/10/0patching-office-dde-ddeauto.html

Reply | Quote

In my opinion you ought to go to Defcon 1, as 1709 is still a BSOD-generator three weeks after roll-out. I have an external USB “legacy” (MBR) drive that I keep in order to have a “master” external for use in troubleshooting systems while on-the-go.

I updated this drive on Nov. 7 after it had been sitting on a shelf for a month (so this was not a case of “old” launch-day updates sitting pending for weeks), and immediately noticed that it would no longer boot some systems (such as an HP Envy laptop) while having no issues with others (an HP Pavilion mini-tower of the same vintage). Weirdly, a clone of the drive to the laptop’s internal drive resulted in the OS working, but it refuses to boot externally. (This is not a drive or cabling issue.)

Interestingly, 1703 did not appear to be problematic, as least insofar as external booting went.

Edit to remove HTML

1 user thanked author for this post.

Cybertooth

Reply | Quote

Hope you don’t mind:  I used this AskWoody article as one of my credited sources for something I wrote up today.

https://networkdefend.blogspot.com/2017/11/ddeauto-exploit-mitigation-for.html

~ Group "Weekend" ~

Reply | Quote

Good stuff!

It’s going to be quite an eye-opener for a lot of people.

1 user thanked author for this post.

NetDef

Reply | Quote