It’s been a busy week in the world of Microsoft Office security risks. Tuesday, the software giant released a patch for CVE-2017-11826, a remote code execution (RCE) vulnerability attackers could exploit to run malware delivered to victims via phishing attachments.
Now comes word of a zero-day vulnerability in Microsoft’s Dynamic Data Exchange (DDE) protocol — which sends messages and shares data between applications. Applications, for example, can use DDE for one-time data transfers and for continuous exchanges where apps send updates to each another as new bits are available.
Sophos researcher Mark Loman says it’s significant because attackers could exploit it to run malware without using macros. He adds:
Microsoft says DDE is legitimate feature since 1993, but since its reveal this week, many attackers are leveraging the trick to deploy remote-access Trojans (RATs).
There’s no word yet on when — or if — Microsoft will develop a patch.
For now, Sophos Intercept X customers are protected. Loman has created the following video showing how Intercept X stops attacks using the DDE zero-day:
For Office threats in general, here’s the advice we typically give: