MS Word DDE exploit

Amid the avalanche of cyber threats 2017 has already seen, a new attack has emerged targeting the least likely of applications. Earlier this month, security researchers from Sensepost discovered an unpatched vulnerability in Microsoft Word which allows hackers to practice remote code execution.

The Microsoft Word vulnerability

Microsoft Word employs a protocol called Dynamic Data Exchange (DDE) to share data between different applications. Hackers seem to have identified this gateway and have begun exploiting it. This protocol is being used by thousand of applications like Microsoft Word, Excel, Quattro Pro, Visual Basic, etc. Microsoft hasn’t released any updates for this vulnerability, but it is expected that Microsoft will address this fix in its next update.

Locky ransomware exploiting DDE

Microsoft Word was already being used by hackers to deploy Locky ransomware across machines. It has been reported that over six million computers are already infected with Locky. While Locky has previously employed macros-based, booby-trapped Microsoft Office documents, it appears that hackers have updated it, allowing them to exploit this DDE protocol and take screenshots of victims’ desktops.

Hancitor malware exploiting DDE

Along with Locky, another malware called Hancitor also employs this DDE exploit. With the exploit, Hancitor downloads and installs malicious payloads—like ransomware, a Banking trojan, and data theft malware—and is deployed in phishing emails as a macro-enabled Microsoft Office document.

Steps to stay safe against this Microsoft Word DDE exploit

Since Microsoft hasn’t released any patches for this remote code execution yet, you can avoid these threats by performing the following steps: 

1. Open Microsoft Word

2. Select “File”

3. Go to “Options”

4. Select “Advanced”

5. Navigate to “General”

6. Disable the “Update Automatic links at Open” option

If you want to do this for all computers in your network, you can create a custom script and deploy this configuration across your network using Desktop Central.

In addition to the steps listed above, you can avoid these threats by not clicking unnecessary links or opening unknown documents. Also, always verify the source of emails and documents before opening them.

Related posts :