In recent months, Microsoft Word has been getting a fair amount of bad press, thanks to an old-but-still-supported feature called DDE (Dynamic Data Exchange). This is the feature that allows Word to pull data from other MS Office applications. For instance, if you embed a chart into your Word document, each time you open the doc, it will automatically poll the spreadsheet the chart was created from and update it dynamically.
It’s a good feature, but unfortunately, it’s subject to abuse by hackers, who can use it to insert malicious code.
For a long time, Microsoft held the opinion that DDE wasn’t flawed per se, and as such, refused to take any action to try and limit its abuse. The thinking was that the company had already done enough since MS Office is designed to display a warning message before actually opening a file, which gives the user a choice.
Unfortunately, hackers have found ways to game that system as well and get around the warning box, and ultimately, that’s what changed the company’s mind.
Back in October, Microsoft published Security Advisory 4053440, which warned of the potential dangers of DDE and advised users on how to disable the feature in Word, Outlook and Excel. The company has now taken things a step further, disabling the feature inside MS Word in the Office Defense in Depth Update, ADV170021.
In fact, the company now sees the problem as being so severe and pervasive that they took the unusual step of issuing an emergency, out-of-band patch to update Word 2003 and 2007, two versions that Microsoft has officially stopped supporting.
If your employees use MS Office, this most recent patch is of critical importance, so if you’re not getting updates automatically, make sure your team knows to grab and apply this one.