back to article Watch out for Microsoft Word DDE nasties: Now Freddie Mac menaced

Malware exploiting Microsoft Word's DDE features to infect computers has been lobbed at US government-backed mortgage biz Freddie Mac. Well-crafted phishing emails were sent to staff promising free tickets to a Halloween event at a nearby Six Flags amusement park. If employees click through a link in the message, they're …

  1. Sureo


    Anyone dumb enough to click through security warnings to conduct personal affairs on a company computer should be shown the door forthwith.

    1. a_yank_lurker Silver badge

      Re: Bye

      It is not that unusual for an employee to get an email about tickets to an event or something similar which looks legitimate at a skim. It is not like one is going to look at the email header or verify every sender in large organization, if it feels legitimate then some will respond.

      Part of the problem is DDE is an Office 'feature' that has probably outlived its usefulness by a couple of decades. But Slurp will not deprecate it in new releases as it breaks backwards compatibility even if it is security risk.

      1. Lysenko

        Re: Bye

        It's not that unusual to encounter road signs when driving, but some people are just in a hurry to get on with their day and pay little attention to them.

        So, if there's a clearly signposted side road and some lazy twit pays no attention and causes an accident, the problem is the side road? It should be removed, severely inconveniencing the residents of the small village it leads to, because some clueless morons can't be bothered to read road signs?

        I think not. What you do is prosecute the idiots and revoke their driving licenses. In a case like this, that means firing people. Not because it will rectify this specific instance of the problem rather, like many such sanctions regimes, pour encourager les autres.

        1. MartinBZM

          Re: Bye

          Pas devant les enfants ...

      2. bombastic bob Silver badge

        Re: Bye

        "as it breaks backwards compatibility"

        /me accidentally ruins keyboard after doing a "spit-take"

      3. LDS Silver badge

        DDE is a Windows feature - not an Office one

        For example, even when an application is started initial data can be passed through DDE, instead of the command line.

        Removing it could really make a lot of older applications stop working correctly.

        Because Windows users usually pay for software, it's not nice to have a new release suddenly create problem to older software. Especially big customers may be really upset.

        1. Christian Berger

          Re: DDE is a Windows feature - not an Office one

          Well DDE is one of several simmilar features (because Microsoft just loves reinventing features). OLE Automation is, as far as I know, distinct from it.

          And of course there's probably still lots of software around which is vulnerable to that timer callback pointer problem, where an external message can include a callback pointer which will be called.

          In short, there are no security boundaries between different programs running under the same user.

      4. Anonymous Coward
        Anonymous Coward

        Re: Bye

        Agreed. The organization, in which I work, employs thousands of people, so the whole range of computer/security knowledge. I get hundreds of emails a day with something like 10 to 40 requiring a response. Thankfully, I can filter most of my emails to folders other than my inbox and if not specifically asked to act upon them they hit the void after they're a couple of weeks old.

        I'd suggest that under the right stress/work pressure anyone could mistaken click through a warning like that. Especially, if one thought there be a second if there were further issues.

    2. bombastic bob Silver badge

      Re: Bye

      yeah, usually it's "the accountant" opening something from "the customer" or "the creditor" etc.

    3. RockBurner

      Re: Bye

      I can think of several roles within an office that would legitimately be opening emails advertising special offers for trips to entertainment venues: anyone who does 'team moral' for starters. The vast majority of them (ime) are utterly clueless technologically speaking, so I'd expect this attack vector to be pretty successful.

    4. Christian Berger

      The problem is deeper

      1. Users on Windows are conditioned to always click "OK" when a popup appears. Popups appear even for completely pointless reasons. To the user they all look alike.

      2. The default way to install software on Windows is to download some file from some obscure location and then essentially execute it.

      3. Because of 2, Browsers often allow you to execute files you just downloaded right away, eliminate precious seconds in which the user could think about what they are doing.

      4. This is not limited to Windows, but there are idiots who believe that sandboxes work, even though they have been proven otherwise countless times. Those people insist on turing complete languages even in places where they are not essential. The results are websites that require javascript, or companies requiring you to install an app to get to their services.

      1. LDS Silver badge

        "is to download some file from some obscure location"

        Don't know which your software suppliers are, but mine don't have "wharez" in their name....

    5. Fatman

      Re: Bye

      <quote>Anyone dumb enough to click through security warnings to conduct personal affairs on a company computer should be shown the door forthwith taken up to the roof, and by the use of a trebuchet, sent on a new career trajectory.</quote>



  2. 404


    "whizzbang space-age technospeak jargon-pest"

    Good one!

  3. Herby

    Security warnings??

    Isn't that the Windows Boot screen. There is no 'OK' there.

    Maybe this isn't a joke after all.

  4. fobobob

    Dinosaur Dinosaur Evolution! When trying to interface a utility with a crusty old piece of software, I wound up opting to use SendMessage() and send data 1 character at a time as wParam. Passed over it mainly due to the odds of.. well, this sort of thing. COM/OLE stuff has worked for every other case I might have had a reason to consider it.

    1. 9Rune5 Silver badge

      I thought OLE was built upon DDE.

      And I thought what the article described (embedding an excel spreadsheet in a word doc) was the domain of OLE. DDE allows data to be exchanged, but OLE (Object Linking and Embedding or something like that) was the way to go if you wanted to interact with objects from other apps.

      Thankfully... That was a long time ago and is now mostly hidden away from today's developers.

  5. TRT Silver badge

    pivoting through Microsoft Excel

    I see what you did there.

    1. Korev Silver badge

      Re: pivoting through Microsoft Excel

      It's good that they can table these puns

      1. Korev Silver badge

        Re: pivoting through Microsoft Excel

        They should probably spend some time in a cell for it though...

  6. Timmy B

    Just Seems Obvious...

    DDE is something I can't see being used very much bu anyone. So turn it off by default and then when something wants to use it alert the user that it will need to be installed and what that may mean. I suspect, though, that somewhere internally Office is using it and that's the real reason it can't be removed.

  7. Anonymous Coward
    Anonymous Coward


    There's always one (or often, sadly many more) in an organisation.

    Who refuses to fix something that really is a massive problem (never trust users auto pilot clicking a few boxes as meaningful)

    A non IT example, lots of fire engines were called to a lab recently as smoke billowing out.... (and so just in case big response as coudld potentially be all sorts of major nastiness in lab fire)

    Turned out cause was plastic ware put in heating oven (these get v. hot, so plastic combusted, lots & lots of smoke but fire contained to inside oven as various fire defence systems present in lab).

    On the door of said oven was a big sign that explicitly said NOT to put plastic ware in the oven....

    So, when you cannot rely on someone in a hurry to read huge red warning text in front of them, expecting informed consent on a mundane looking tickbox on a PC is fantasy land

    AC to reduce chance of exact people involved being revealed (I'm not the smoky culprit I should add!)

  8. David Roberts Silver badge

    Am I the only one.......

    ......who would have launched the photon torpedoes?

    Because, well, security, meh, but, photon torpedoes!!!

  9. Version 1.0 Silver badge

    Kill them all!

    This is why I strip all Microsoft documents (and a great many other) attachment file-types at the mail server - the email is allowed through but the document is removed. It's a minor inconvenience as the users can go to another place and retrieve the complete email if they really need it but it makes everyone think before they open those malware gifts that arrive every day.

    paymentdetails.docx = paymentdetails.pdf.js = paymentdetails.iso = paymentdetails.doc.html

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021