Microsoft is releasing this security advisory to provide information regarding security settings for Microsoft Office applications. This advisory provides guidance on what users can do to ensure that these applications are properly secured when processing Dynamic Data Exchange (DDE) fields.
Mitigating DDE Attack Scenarios
Users who wish to take immediate action can protect themselves by manually creating and setting registry entries for Microsoft Office. Use the following instructions to set the registry keys based on the Office applications installed on your system.
Warning: If you use Registry Editor incorrectly, you could cause serious problems that could require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
Microsoft Excel
Excel depends on the DDE feature to launch documents.
To prevent automatic update of links from Excel (including DDE, OLE, and external cell or defined name references), refer to the following table for the registry key version string to set for each version:
Office Version | Registry Key <version> string |
Office 2007 | 12.0 |
Office 2010 | 14.0 |
Office 2013 | 15.0 |
Office 2016 | 16.0 |
- To disable the DDE feature via the user interface:Set File->Options->Trust Center->Trust Center Settings…->External Content->Security settings for Workbook Links = Disable automatic update of Workbook Links.
- To disable the DDE feature via the Registry Editor:
[HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Excel\Security] WorkbookLinkWarnings(DWORD) = 2
Impact of mitigation: Disabling this feature could prevent Excel spreadsheets from updating dynamically if disabled in the registry. Data might not be completely up-to-date because it is no longer being updated automatically via live feed. To update the worksheet, the user must start the feed manually. In addition, the user will not receive prompts to remind them to manually update the worksheet.
Microsoft Outlook
Refer to the following table for the registry key version string to set for each Office version:
Office Version | Registry Key <version> string |
Office 2010 | 14.0 |
Office 2013 | 15.0 |
Office 2016 | 16.0 |
- For Office 2010 and later versions, to disable the DDE feature via the Registry Editor:
[HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Word\Options\WordMail] DontUpdateLinks(DWORD)=1
- For Office 2007, to disable the DDE feature via the Registry Editor
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Options\vpref] fNoCalclinksOnopen_90_1(DWORD)=1
Impact of mitigation: Setting this registry key will disable automatic update for DDE field and OLE links. Users can still enable the update by right-clicking on the field and clicking “Update Field”.
Microsoft Publisher
A Word document using the DDE protocol that is imbedded within a Publisher document could be a possible attack vector. You can help prevent this attack vector by applying the Word registry key modification. See the following section for the Word registry key values.
Microsoft Word
Refer to the following table for the registry key version string to set for each Office version:
Office Version | Registry Key <version> string |
Office 2010 | 14.0 |
Office 2013 | 15.0 |
Office 2016 | 16.0 |
- For Office 2010 and later versions, to disable the DDE feature via the Registry Editor:
[HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Word\Options] DontUpdateLinks(DWORD)=1
- For Office 2007, to disable the DDE feature via the Registry Editor
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Options\vpref] fNoCalclinksOnopen_90_1(DWORD)=1
Impact of mitigation: Setting this registry key will disable automatic update for DDE field and OLE links. Users can still enable the update by right-clicking on the field and clicking “Update Field”.
Source : https://technet.microsoft.com/library/security/4053440.aspx?f=255&MSPPError=-2147217396