ASB-2017.0192 - [Win] Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields 2017-11-09

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2017.0192
         Securely opening Microsoft Office documents that contain
                    Dynamic Data Exchange (DDE) fields
                              9 November 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Microsoft Office
Operating System:     Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:           Mitigation
Member content until: Saturday, December  9 2017

OVERVIEW

        Mitigation steps are released by Microsoft as an attacker could 
        leverage the DDE protocol in Microsoft Office and Microsoft Excel 
        documents to install malware. 
        
        The software and versions affected are:
        
        Microsoft Excel
        Office 2007
        Office 2010
        Office 2013
        Office 2016
        
        Microsoft Outlook
        Office 2010
        Office 2013
        Office 2016 [1]


IMPACT

        An attacker could leverage the DDE protocol by sending a specially 
        crafted file to the user and then convincing the user to open the 
        file, typically by way of an enticement in an email.
        
        Malicious code and commands of the attacker's choosing is then able
        to be run on the victim's computer.[2]
        
        There are news articles of this attack vector being used in the 
        wild.[3][4]
        
        Additionally AusCERT has seen malware campaigns using this attack 
        vector in the wild.


MITIGATION

        Microsoft has released steps to mitigate the attack, but in applying
        the mitigation some functionality of Microsoft Excel and Microsoft 
        Outlook may be affected. [1]


REFERENCES

        [1] Microsoft Security Advisory 4053440
            https://technet.microsoft.com/library/security/4053440.aspx

        [2] Nearly undetectable Microsoft Office exploit installs malware
            without an email attachment
            https://www.techrepublic.com/article/nearly-undetectable-microsoft-office-exploit-installs-malware-without-an-email-attachment/

        [3] Exploit:O97M/DDEDownloader.A
            https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:O97M/DDEDownloader.A&ocid=cx-blog-mmpc

        [4] APT28's latest Word doc attack eliminates needing to enable macros
            https://www.scmagazine.com/apt28s-latest-word-doc-attack-eliminates-needing-to-enable-macros/article/706319/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWgPSOIx+lLeg9Ub1AQhIbRAAmHWs5XRTfbM0NRJ2+7WqilTUqcTeWhb2
meLv//yJJZUWUgb7wplh7R6pYUJY+wcLaBBg6jZ5NhrFYDSyI4h1vxnqV0D3T4Qk
tOrDbf1QFz8uSNMHtkbXPsmyoyhrY0+3yHi7XQMFlWWufULTeR93dDbcC3Xp2txH
aXAM8fyKRqhVpBKIcljhwdlsBztTzv2zqp7YK4u7uGHq5FkHVkRp43Bn2KWSgIk9
ppfXapiD72BYUatHqi+4UysJijqamY5ud5oq4gnV/fmUtMWcSXW8y+p7amYe0HRm
9Nf8XUOxh+tPgtqnaF6lfu0gaBZtgVFFQhZZ+DFdW/h0VLaeS/pyirgdDaLGkLgk
DTD39Al23WYPmGvuV7NM0fS2A7ZtMV6FijVqRFyUUAh490mfQXbjni9RCdGxeHqA
1q+pxI1CiimxAQ5BlCoeWssVavyLMhSp3tb1UHJ3XF0a6tTpFcgyaB6Ps3ZzSw//
4Vq7I0xpid6jT54ZC35V1vMFHy9dshPkV20WHTDaW21prgtvI4JuYilpCi0N/lk3
CFP9vmc9hZ8SewFwAw9dCYun9OfYfhVbUFrj9dKNnreWjtK4S3BwKtlfbLXrYx0k
cKiEWX5Q4QMIba8fUjtFysnFjL0Tr5aK83bkluqjLtkiAxH9S18JaGndVDF0Lesi
QdCFvMsWSgs=
=El8d
-----END PGP SIGNATURE-----

« Back to bulletins