Security

Nearly undetectable Microsoft Office exploit installs malware without an email attachment

Security firm Sophos uncovered a zero day exploit that targets a 24-year-old data exchange protocol, and it can be used to silently attack machines with very little means of detection.

A newly discovered Microsoft Office zero day could put any machine with an Office install at risk. According to a blog post from cybersecurity company Sophos, the exploit can deliver remote access Trojans (RATs) without the need to run macros.

Utilizing a 24-year-old Microsoft protocol called Dynamic Data Exchange (DDE), the exploit can be used in any Microsoft Office application.

A second blog post from Sophos revealed an even more concerning layer to the exploit: It can be triggered through an email or calendar invite without the need for an attachment.

Why DDE is a security hole

The Dynamic Data Exchange protocol is used to share data between applications—in this case Microsoft Office apps.

Any data that needs to be shared to a document and then handled without user interaction utilizes DDE. Compound Word documents that contain a graphic or Excel workbooks that record real-time data are both examples of common DDE applications.

SEE: Use new security features in Microsoft Office 365 to raise your Secure Score (TechRepublic)

The threat to users comes from—no surprise—attachments. If a document that uses DDE is opened it can appear totally safe since there's no macro in the attachment to execute malware. By pointing a DDE link at a malicious source, however, a harmless document can grab a RAT from an outside source and execute it before the user even realizes what has happened.

malware-code.jpg
Image: iStock/DaLiu

DDE exploits in Outlook: Changing the email attack game

Sophos' follow-up post regarding DDE exploitation in Outlook is even more concerning since it eliminates the need to send attachments to execute an attack.

All an attacker needs to do is format an email message or a calendar invite in rich text format (RTF). That allows DDE to execute without the user ever seeing the code. There is one bright spot, though: A DDE attack in Outlook isn't completely automated.

An Outlook DDE attack requires the user to click Yes in a dialog box that says "This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?" Clicking No stops the attack dead in its tracks.

If a user clicks Yes, a second dialog box appears and they must click Yes again. If a user clicks No in this case, the attack is stopped.

How to stop DDE attacks

As of this writing, Microsoft has made no mention of plans to patch this exploit. Doing so could break DDE, and its age clearly speaks to its stable position in Microsoft's ecosystem.

SEE: Certified Information Systems Security Professional (TechRepublic Academy)

There's also not a guaranteed way to stop DDE attacks since they rely on remote access to malicious code and therefore avoid a good portion of antivirus protections. That said, DDE attacks come from familiar sources, so IT professionals and users should be familiar with some of the usual protective measures:

  • Don't open attachments from unfamiliar sources. If possible, block attachments to user email addresses.
  • Emails viewed in plain text will stop code embedded in RTF from executing, so if it isn't a huge inconvenience to users it may be worth forcing plain text. Keep in mind that this will break HTML and other formatting as well, which can make some emails difficult to read.
  • Don't ignore popup messages! In the worst case DDE attack scenario, users are still prompted to let the attack happen. Reading the dialog window should raise a red flag, so be sure you don't simply blindly click Yes.
  • If possible, consider an email gateway security solution. Gateways can stop questionable email from ever reaching recipients, eliminating the biggest cybersecurity threat organizations face: accidents.

The top three takeaways for TechRepublic readers:

  1. A newly discovered Microsoft Office zero day makes it possible for attackers to execute malicious code on target machines without the use of scripts or, in some cases, attachments.
  2. The attack utilizes Microsoft's Dynamic Data Exchange protocol, which allows documents to fetch and exchange data from other sources. Attackers can place malicious code at the source, avoiding detection by security software.
  3. Microsoft has not announced any plan to patch the exploit. IT professionals can protect themselves and their users by ensuring they aren't opening suspicious attachments, by reading popup windows to see what they're asking, and by implementing email security gateways.

Also see:

About Brandon Vigliarolo

Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.

Editor's Picks

Free Newsletters, In your Inbox