Saturday, November 11, 2017

DDEAUTO exploit mitigation for Microsoft Office 2007 through Office 2016

There is a very old exploit that has recently come under fire by malware teams across the globe.  An attached document in email - when opened by the recipient - can now download and install malware without macros.  It does require some user interaction, but the errors generated during the infection phase are not the same as the warnings we've previously been teaching end users to ignore or decline.

At the very least, new training is required.

In a classic "it's a feature, not a bug" reminder - it does not look likely that Microsoft is going to patch this problem. If this changes I will update this post to point to future security patches.

For a primer on what DDE is, check out Microsoft's documentation:
Microsoft MSDN - About Dynamic Data Exchange


For more explanation of what the problem is, what end users need to learn (to say no to), how it's being exploited, and other considerations on whether or not to disable DDE, see the following sources:


 ghacks.net: Disable Office DDEAUTO to mitigate attacks

 Askwoody.com: Microsoft releases a Security Advisory about the DDEAUTO fandango

 Sensepost: Macro-less Code Exec in MSWord


Decisions:
Protecting your system thus comes to deciding to make a trade-off:  do you want to be more secure or do you want to preserve certain power features in Microsoft Office for yourself or your users? Below I will provide several options to mitigate DDE attacks at different levels.  You can use some or all of them depending on your risk tolerance.

If you and/or your organization relies heavily on DDE then you may need to turn to other mitigation factors: primarily a good AV, good spam filters, and GREAT end-user training.


Mitigation:
If you can do without DDE, then below are the full REG keys needed to partially or fully disable the feature.



Standard disclaimers apply here:  You use these at your own risk.
It's likely that any of these changes could BREAK your work process.  It's also likely that many third party applications that use DDE will BREAK, CRASH or corrupt data with these settings.  
You must test these on non-production clients before trusting.  
You must review and understand every REG change before accepting it for your system.  
These changes may or may not actually block anything from infecting your system.  
Past and Future patches from Microsoft may or may not render these settings ineffective!  
You should BACKUP your HKEY_CURRENT_USER registry hive before importing or editing the below changes.

(Credit to the following sources - the below REG keys are a compilation from both.
  Will Dormann on GitHubGist - disable DDEAuto and
  Microsoft Security Advisory 4053440 )

How to use:
After making these changes the end user must log out then back on for the settings to take full effect.  Also note that these changes are PER USER - not for all users on a machine.  You will need to import these registry keys into every user profile (either directly from an active session on each, or via Group Policy, or via user REG hive identification and editing the below for each one.)

Copy and paste the code text blocks into a TXT file such as Notepad.  Change the extension from TXT to REG.  Import under each user account. More advanced users can either edit the registry directly, or use Group Policy for domains or local machines using the settings listed as a guide.  Advanced users should also reduce the scope of each settings file to match the versions of Office installed on their systems.


The Registry Keys:

These first two are recommended at a minimum: (the current exploits target Outlook and Word.)

Disable DDE for Outlook 2007 through 2016


Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options\WordMail]
 "DontUpdateLinks"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options\WordMail]
 "DontUpdateLinks"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options\WordMail]
 "DontUpdateLinks"=dword:00000001

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Options\vpref]
 "fNoCalclinksOnopen_90_1"=dword:00000001



Disable DDE for Word 2007 through 2016

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options]
 "DontUpdateLinks"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options]
 "DontUpdateLinks"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options]
 "DontUpdateLinks"=dword:00000001

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Options\vpref]
 "fNoCalclinksOnopen_90_1"=dword:00000001



Disable DDE for OneNote 2013 through 2016
Maybe optional, be aware that OneNote functionality is drastically reduced with these settings.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\Options]
"DisableEmbeddedFiles"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\OneNote\Options]
"DisableEmbeddedFiles"=dword:00000001



Disable DDE for Excel 2007 through 2016
Also might be optional, these settings for Excel drastically reduce functionality for advanced lookups, links, and data retrieval.  Expect user complaints.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Options]
 "DontUpdateLinks"=dword:00000001
 "DDEAllowed"=dword:00000000
 "DDECleaned"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security]
 "WorkbookLinkWarnings"=dword:00000002

[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options]
 "DontUpdateLinks"=dword:00000001
 "DDEAllowed"=dword:00000000
 "DDECleaned"=dword:00000001
 "Options"=dword:00000117

[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Security]
 "WorkbookLinkWarnings"=dword:00000002

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options]
 "DontUpdateLinks"=dword:00000001
 "DDEAllowed"=dword:00000000
 "DDECleaned"=dword:00000001
 "Options"=dword:00000117

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security]
 "WorkbookLinkWarnings"=dword:00000002

[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security]
 "WorkbookLinkWarnings"=dword:00000002





Coming soon (to be appended to this article): Reverse all above settings back to defaults.