As part of the December 2017 Patch Tuesday, Microsoft has shipped an Office update that disables the DDE feature in Word applications, after several malware campaigns have abused this feature to install malware.

DDE stands for Dynamic Data Exchange, and this is an Office feature that allows an Office application to load data from other Office applications. For example, a Word file can update a table by pulling data from an Excel file every time the Word file is opened.

DDE is an old feature, which Microsoft has superseded via the newer Object Linking and Embedding (OLE) toolkit, but DDE is still supported by Office applications.

DDE feature abused to install malware

In October 2017, security researchers from SensePost published a tutorial on how the DDE feature could be weaponized and abused to distribute malware.

Even if DDE has been abused to distribute malware in the ’90s, the new methods explained in the SensePost tutorial were quickly adopted by malware distributors, first by FIN7, a group of hackers specialized in hitting financial organizations, and then by distributors of mundane malware.

At the time, Microsoft did not consider DDE a vulnerability in the Office suite but said it was just another legitimate feature abused to distribute malware.

The reason why Microsoft did not consider DDE attacks to be security issues is that Office shows warnings before opening the files. This is just another case where malware authors have found a creative way of abusing a legitimate feature, like with OLE and macros, for which Microsoft also warns users before running.

December 2017 Patch Tuesday disables…