It is advised to disable DDE support in Microsoft Excel should to prevent attacks, Microsoft says.
Multiple times, Security researchers have found flaws that Microsoft creators overlook. One of which is a legitimate Microsoft Excel technology called Power Query. It can be used to run malicious code with minimal interaction.
In a nutshell, Power Query is a data connection technology that can allow Excel files to discover, connect, combine, and manipulate data before importing it from remote sources, such as an external database, text document, another spreadsheet, or a web page.
The tool is included with recent versions of Excel and available as a separate downloadable add-in for older Excel versions.
In research published today and shared with ZDNet, Ofir Shlomo, a security researcher with the Mimecast Threat Center, described a technique through which Power Query features could be abused to run malicious code on users’ systems.
The attack vector relies on creating malformed Excel documents. These certain documents would use Power Query to import data from a remote server. They can embed malicious content in a separate data source. Then it gets loaded into the spreadsheet once opened. The code can contain certain assortments of malicious code that can be used to drop and execute malware.
It can go much farther as per a technique tested by Mimecast that can even bypass security sandboxes which analyze documents sent via email before allowing users to download and open them.
One thing is for sure, disabling DDE stops attacks. The Power Query technique is eerily similar to a similar malware distribution method detailed in 2017 by SensePost, which abused another Excel feature for importing data in Excel files, namely Dynamic Data Exchange (DDE).
Microsoft has already been contact by Mimecast about this attack vector, however, Microsoft declined to patch it since it is not a vulnerability as per its design. It is only bad people using it to do bad things.
Once DDE is disabled on Microsoft Excel, users should be protected against attacks that target Power Query usage.
Last December 2017, DDE support has been disabled in Microsoft Word, but the same was not done with Excel since it is used for mostly legitimate purposes other than malware distribution.
Instructions on how to disable DDE in Excel are available in Microsoft’s KB4053440 advisory.