News

Microsoft Leaves Excel DDE Security Flaw Unpatched

• By Kurt Mackie
• 06/27/2019

Researchers have discovered a flaw in the Microsoft Excel spreadsheet program that, combined with its Power Query data-fetching component, can leave businesses open to so-called "Dynamic Data Exchange" (DDE) attacks.

Power Query is a "data connection technology" that permits data to be dynamically loaded, such as loading data when an Excel spreadsheet gets opened. Excel users might use Power Query to keep data in a spreadsheet updated with the most recent information, and that information might come from an external Web site.

According to a report published on Thursday, researchers at the Mimecast Threat Center have created a proof-of-concept attack where this dynamic loading capability could be exploited to deliver malicious code to a user's machine. They took other measures to make the malicious file, downloaded from a remote server, "appear harmless to a sandbox or other security solutions." This attack methodology could lead to various types of attacks, according to Mimecast researchers:

Because Power Query is a powerful tool within Microsoft Excel, the potential threat for abusing the feature is great. If exploited, it can be used to launch sophisticated attacks that combine several potential attack surfaces, from local privilege escalation, DDE attacks and remote code execution exploits.

No Patch
Microsoft was made aware of the Excel issue. Mimecast researchers took part in Microsoft's coordinated vulnerability disclosure process in collaboration with the Microsoft Security Response Center (MSRC), including the proof-of-concept attack. However, Microsoft declined to issue a patch for it.

"MRSC opened a case but Microsoft decided not to fix this behavior, and their response included a workaround by either using a Group Policy to block external data connections or use the Office Trust center to achieve the same," the Mimecast researchers explained.

The exploit is now partially disclosed, but organizations are left to figure out how to apply Microsoft's workaround themselves, if they are aware of the issue (Microsoft apparently didn't issue a notice). It's not wholly clear what the published Group Policy workaround from Microsoft is, but Mimecast recommended following the advice described in Microsoft Security Advisory 4053440, which was originally published on Nov. 8, 2017, concerning Office documents with fields that use the DDE update capability.

"This advisory [KB4053440] provides guidance on what users can do to ensure that these applications are properly secured when processing Dynamic Data Exchange fields," the Mimecast team explained.

Security Advisory KB4053440
In that advisory, Microsoft explained that DDE is a protocol that "sends messages between applications that share data, and uses shared memory to exchange data between applications." It can be used for a one-time data exchange or continuous data exchanges. A potential exploit leveraging DDE is described in Microsoft's advisory, but it's about attacks initiated using e-mail file attachments, so it's apparently describing a different scenario than the proof-of-concept attack outlined by Mimecast. The scenario described by Mimecast involved using DDE to point to a malicious file on a Web site.

Microsoft's advisory doesn't describe the Group Policy changes that organizations can make. Instead, it outlined registry changes that "users" can make, which is an unlikely security approach for organizations to take. In most cases, after these registry changes are applied, it'll still be possible for fields in Office documents to be updated, but an end user will have to manually right-click on a field and then select "Update Field" to make it happen. Apparently, the idea is to block automatic updates for fields in documents. If that's a protection against DDE exploits, it wasn't explained.

Microsoft's advisory suggested that organizations using some of its advanced security tools, such as Windows Defender Exploit Guard and Microsoft Defender Advanced Threat Protection, would have some added protections against these DDE exploits.

Mimecast is a provider of e-mail security protections for organizations. It offers cloud-based solutions for the purpose, and the researchers claimed that "Mimecast Targeted Threat Protection detects and blocks the use of this [DDE attack] technique."