Executive Summary

Summary
Title Microsoft Security Advisory 4053440
Informations
Name KB4053440 First vendor Publication 2017-11-08
Vendor Microsoft Last vendor Modification 2017-11-08
Severity (Vendor) N/A Revision 1.0

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Microsoft Security Advisory 4053440

Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields

Published: November 8, 2017

Version: 1.0

Overview

Executive Summary

Microsoft is releasing this security advisory to provide information regarding security settings for Microsoft Office applications. This advisory provides guidance on what users can do to ensure that these applications are properly secured when processing Dynamic Data Exchange (DDE) fields.

About Dynamic Data Exchange

Microsoft Office provides several methods for transferring data between applications. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data, and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.

Scenario

In an email attack scenario, an attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email. The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts. As email attachments are a primary method an attacker could use to spread malware, Microsoft strongly recommends that customers exercise caution when opening suspicious file attachments.

DDE Feature Control Keys

Microsoft Office provides several feature control keys that are stored in the registry and are responsible for modifying product functionality, improving support for industry standards, and improving security. Microsoft has documented these feature control keys and recommends enabling specific feature control keys for security reasons. See the following:

  • Office 2016: Secure and control access to Office
  • Office 2013: Secure Office 2013

Microsoft strongly encourages all users of Microsoft Office to review the security-related feature control keys and to enable them. Setting the registry keys described in the following sections disables automatic update of data from linked fields.

Mitigating DDE Attack Scenarios

Users who wish to take immediate action can protect themselves by manually creating and setting registry entries for Microsoft Office. Use the following instructions to set the registry keys based on the Office applications installed on your system.

Warning:If you use Registry Editor incorrectly, you could cause serious problems that could require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.


Microsoft Excel

Excel depends on the DDE feature to launch documents.

To prevent automatic update of links from Excel (including DDE, OLE, and external cell or defined name references), refer to the following table for the registry key version string to set for each version:

Office Version

Registry Key <version> string

Office 2007

12.0

Office 2010

14.0

Office 2013

15.0

Office 2016

16.0


  • To disable the DDE feature via the user interface:

    Set File->Options->Trust Center->Trust Center Settings...->External Content->Security settings for Workbook Links = Disable automatic update of Workbook Links.

  • To disable the DDE feature via the Registry Editor:
    Copy
     [HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Excel\Security] WorkbookLinkWarnings(DWORD) = 2 

Impact of mitigation: Disabling this feature could prevent Excel spreadsheets from updating dynamically if disabled in the registry. Data might not be completely up-to-date because it is no longer being updated automatically via live feed. To update the worksheet, the user must start the feed manually. In addition, the user will not receive prompts to remind them to manually update the worksheet.

Microsoft Outlook

Refer to the following table for the registry key version string to set for each Office version:

Office Version

Registry Key <version> string

Office 2010

14.0

Office 2013

15.0

Office 2016

16.0


  • For Office 2010 and later versions, to disable the DDE feature via the Registry Editor:
    Copy
     [HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Word\Options\WordMail] DontUpdateLinks(DWORD)=1 
  • For Office 2007, to disable the DDE feature via the Registry Editor
    Copy
     [HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Options\vpref] fNoCalclinksOnopen_90_1(DWORD)=1 

Impact of mitigation: Setting this registry key will disable automatic update for DDE field and OLE links. Users can still enable the update by right-clicking on the field and clicking Update Field .

Microsoft Publisher

A Word document using the DDE protocol that is imbedded within a Publisher document could be a possible attack vector. You can help prevent this attack vector by applying the Word registry key modification. See the following section for the Word registry key values.

Microsoft Word

Refer to the following table for the registry key version string to set for each Office version:

Office Version

Registry Key <version> string

Office 2010

14.0

Office 2013

15.0

Office 2016

16.0


  • For Office 2010 and later versions, to disable the DDE feature via the Registry Editor:
    Copy
     [HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Word\Options] DontUpdateLinks(DWORD)=1 
  • For Office 2007, to disable the DDE feature via the Registry Editor
    Copy
     [HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Options\vpref] fNoCalclinksOnopen_90_1(DWORD)=1 

Impact of mitigation: Setting this registry key will disable automatic update for DDE field and OLE links. Users can still enable the update by right-clicking on the field and clicking Update Field .


Windows 10 Fall Creator Update (version 1709)

Users of the Windows 10 Fall Creator Update can leverage Windows Defender Exploit Guard to block DDE-based malware with Attack Surface Reduction (ASR).

Attack Surface Reduction is a component within Windows Defender Exploit Guard that provides enterprises with a set of built-in intelligence that can block the underlying behaviors used by malicious documents to execute attacks without hindering product operation. By blocking malicious behaviors independent of what the threat or exploit is, ASR can protect enterprises from never-before-seen zero-day attacks like these recently discovered vulnerabilities: CVE-2017-8759, CVE-2017-11292, and CVE-2017-11826.

For Office apps, ASR can:

  • Block Office apps from creating executable content
  • Block Office apps from launching child process
  • Block Office apps from injecting into process
  • Block Win32 imports from macro code in Office
  • Block obfuscated macro code

Emerging exploits like DDEDownloader use the Dynamic Data Exchange (DDE) popup in Office documents to run a PowerShell downloader; however, in doing so, they launch a child process that the corresponding child process rule blocks.

To learn more about Windows Defender Exploit Guard, see:

https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/

Microsoft is researching this issue further and will post more information in this article when the information becomes available.

Additional Suggested Actions

  • Protect your PC
    We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates, and installing antivirus software. For more information, see Microsoft Safety & Security Center.
  • Keep Microsoft Software Updated
    Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.

Other Information

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (November 8, 2017): Advisory published.

Page generated 2017-11-08 09:15-08:00.

Original Source

Url : http://www.microsoft.com/en-us/library/security/4053440.mspx

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
50 % CWE-20 Improper Input Validation

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 484
Application 3
Application 8
Application 1
Application 1
Application 3
Application 1
Application 1
Application 1
Application 4
Application 1

Snort® IPS/IDS

Date Description
2017-11-16 Microsoft Office Word docx object type confusion attempt
RuleID : 44586 - Revision : 3 - Type : FILE-OFFICE
2017-11-16 Microsoft Office Word docx object type confusion attempt
RuleID : 44585 - Revision : 3 - Type : FILE-OFFICE
2017-11-16 Adobe Flash Player array type confusion attempt
RuleID : 44584 - Revision : 2 - Type : FILE-FLASH
2017-11-16 Adobe Flash Player array type confusion attempt
RuleID : 44583 - Revision : 2 - Type : FILE-FLASH
2017-10-17 RTF WSDL file download attempt
RuleID : 44372 - Revision : 2 - Type : FILE-OFFICE
2017-10-17 RTF WSDL file download attempt
RuleID : 44371 - Revision : 2 - Type : FILE-OFFICE
2017-10-12 WSDL soap endpoint location code injection attempt
RuleID : 44354 - Revision : 2 - Type : FILE-OTHER
2017-10-12 WSDL soap endpoint location code injection attempt
RuleID : 44353 - Revision : 2 - Type : FILE-OTHER

Nessus® Vulnerability Scanner

Date Description
2017-11-03 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_sep_4038781.nasl - Type : ACT_GATHER_INFO
2017-10-23 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201710-22.nasl - Type : ACT_GATHER_INFO
2017-10-18 Name : The remote Windows host has a browser plugin installed that is affected by a ...
File : smb_nt_ms17_oct_4049179.nasl - Type : ACT_GATHER_INFO
2017-10-18 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2017-2899.nasl - Type : ACT_GATHER_INFO
2017-10-18 Name : The remote macOS or Mac OS X host has a browser plugin installed that is affe...
File : macosx_flash_player_apsb17-32.nasl - Type : ACT_GATHER_INFO
2017-10-18 Name : The remote Windows host has a browser plugin installed that is affected by a ...
File : flash_player_apsb17-32.nasl - Type : ACT_GATHER_INFO
2017-10-17 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_a73518dab2fa11e798efd43d7ef03aa6.nasl - Type : ACT_GATHER_INFO
2017-10-11 Name : The Microsoft Office Products are affected by multiple vulnerabilities.
File : smb_nt_ms17_oct_office.nasl - Type : ACT_GATHER_INFO
2017-10-11 Name : An application installed on the remote Windows host is affected by multiple r...
File : smb_nt_ms17_oct_office_web.nasl - Type : ACT_GATHER_INFO
2017-10-11 Name : The Microsoft Sharepoint Server installation on the remote host is affected b...
File : smb_nt_ms17_oct_office_sharepoint.nasl - Type : ACT_GATHER_INFO
2017-10-10 Name : The Microsoft Office Products are missing a security update.
File : smb_nt_ms17_oct_word_viewer.nasl - Type : ACT_GATHER_INFO
2017-10-10 Name : Microsoft Office Compatibility Pack SP3 is affected by a remote code executio...
File : smb_nt_ms17_oct_office_compatibility.nasl - Type : ACT_GATHER_INFO
2017-09-12 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_sep_4038777.nasl - Type : ACT_GATHER_INFO
2017-09-12 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_sep_win2008.nasl - Type : ACT_GATHER_INFO
2017-09-12 Name : The remote Windows host has a software framework installed that is affected b...
File : smb_nt_ms17_sep_4041083.nasl - Type : ACT_GATHER_INFO
2017-09-12 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_sep_4038799.nasl - Type : ACT_GATHER_INFO
2017-09-12 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_sep_4038792.nasl - Type : ACT_GATHER_INFO
2017-09-12 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_sep_4038788.nasl - Type : ACT_GATHER_INFO
2017-09-12 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_sep_4038783.nasl - Type : ACT_GATHER_INFO
2017-09-12 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_sep_4038782.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2017-11-08 21:23:19
  • First insertion