Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0192 Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields 9 November 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Office Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Mitigation Member content until: Saturday, December 9 2017 OVERVIEW Mitigation steps are released by Microsoft as an attacker could leverage the DDE protocol in Microsoft Office and Microsoft Excel documents to install malware. The software and versions affected are: Microsoft Excel Office 2007 Office 2010 Office 2013 Office 2016 Microsoft Outlook Office 2010 Office 2013 Office 2016 [1] IMPACT An attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email. Malicious code and commands of the attacker's choosing is then able to be run on the victim's computer.[2] There are news articles of this attack vector being used in the wild.[3][4] Additionally AusCERT has seen malware campaigns using this attack vector in the wild. MITIGATION Microsoft has released steps to mitigate the attack, but in applying the mitigation some functionality of Microsoft Excel and Microsoft Outlook may be affected. [1] REFERENCES [1] Microsoft Security Advisory 4053440 https://technet.microsoft.com/library/security/4053440.aspx [2] Nearly undetectable Microsoft Office exploit installs malware without an email attachment https://www.techrepublic.com/article/nearly-undetectable-microsoft-office-exploit-installs-malware-without-an-email-attachment/ [3] Exploit:O97M/DDEDownloader.A https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:O97M/DDEDownloader.A&ocid=cx-blog-mmpc [4] APT28's latest Word doc attack eliminates needing to enable macros https://www.scmagazine.com/apt28s-latest-word-doc-attack-eliminates-needing-to-enable-macros/article/706319/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWgPSOIx+lLeg9Ub1AQhIbRAAmHWs5XRTfbM0NRJ2+7WqilTUqcTeWhb2 meLv//yJJZUWUgb7wplh7R6pYUJY+wcLaBBg6jZ5NhrFYDSyI4h1vxnqV0D3T4Qk tOrDbf1QFz8uSNMHtkbXPsmyoyhrY0+3yHi7XQMFlWWufULTeR93dDbcC3Xp2txH aXAM8fyKRqhVpBKIcljhwdlsBztTzv2zqp7YK4u7uGHq5FkHVkRp43Bn2KWSgIk9 ppfXapiD72BYUatHqi+4UysJijqamY5ud5oq4gnV/fmUtMWcSXW8y+p7amYe0HRm 9Nf8XUOxh+tPgtqnaF6lfu0gaBZtgVFFQhZZ+DFdW/h0VLaeS/pyirgdDaLGkLgk DTD39Al23WYPmGvuV7NM0fS2A7ZtMV6FijVqRFyUUAh490mfQXbjni9RCdGxeHqA 1q+pxI1CiimxAQ5BlCoeWssVavyLMhSp3tb1UHJ3XF0a6tTpFcgyaB6Ps3ZzSw// 4Vq7I0xpid6jT54ZC35V1vMFHy9dshPkV20WHTDaW21prgtvI4JuYilpCi0N/lk3 CFP9vmc9hZ8SewFwAw9dCYun9OfYfhVbUFrj9dKNnreWjtK4S3BwKtlfbLXrYx0k cKiEWX5Q4QMIba8fUjtFysnFjL0Tr5aK83bkluqjLtkiAxH9S18JaGndVDF0Lesi QdCFvMsWSgs= =El8d -----END PGP SIGNATURE-----