Microsoft Office DDE zero-day: are you protected?

It’s been a busy week in the world of Microsoft Office security risks. Tuesday, the software giant released a patch for CVE-2017-11826, a remote code execution (RCE) vulnerability attackers could exploit to run malware delivered to victims via phishing attachments.

Now comes word of a zero-day vulnerability in Microsoft’s Dynamic Data Exchange (DDE) protocol — which sends messages and shares data between applications. Applications, for example, can use DDE for one-time data transfers and for continuous exchanges where apps send updates to each another as new bits are available.

Sophos researcher Mark Loman says it’s significant because attackers could exploit it to run malware without using macros. He adds:

Microsoft says DDE is legitimate feature since 1993, but since its reveal this week, many attackers are leveraging the trick to deploy remote-access Trojans (RATs).

There’s no word yet on when — or if — Microsoft will develop a patch.

For now, Sophos Intercept X customers are protected. Loman has created the following video showing how Intercept X stops attacks using the DDE zero-day:

For Office threats in general, here’s the advice we typically give:

  • If you receive a Word document by email and don’t know the person who sent it, it’s better to leave it unopened.
  • Use an anti-virus with an on-access scanner (also known as real-time protection). This can help you block malware of this type in a multi-layered defense, for example, by stopping the initial booby-trapped word file, preventing the Dridex download, blocking the downloaded malware from running, and finding and killing off the Dridex malware in memory.
  • Consider stricter email gateway settings. Some staff are more exposed to malware-sending crooks than others (such as the order processing department), and may benefit from more stringent precautions, rather than being inconvenienced by them.
  • Never turn off security features because an email or document says so. Documents such as invoices, courier advisories and job applications should be legible without macros enabled.

networkfights

Create Account



Log In Your Account