It’s a good feature, but unfortunately, it’s subject to abuse by hackers, who can use it to insert malicious code.
For a long time, Microsoft held the opinion that DDE wasn’t flawed per se, and as such, refused to take any action to try and limit its abuse. The thinking was that the company had already done enough since MS Office is designed to display a warning message before actually opening a file, which gives the user a choice.Unfortunately, hackers have found ways to game that system as well and get around the warning box, and ultimately, that’s what changed the company’s mind.
Back in October, Microsoft published Security Advisory 4053440, which warned of the potential dangers of DDE and advised users on how to disable the feature in Word, Outlook and Excel. The company has now taken things a step further, disabling the feature inside MS Word in the Office Defense in Depth Update, ADV170021.
In fact, the company now sees the problem as being so severe and pervasive that they took the unusual step of issuing an emergency, out-of-band patch to update Word 2003 and 2007, two versions that Microsoft has officially stopped supporting.
If your employees use MS Office, this most recent patch is of critical importance, so if you’re not getting updates automatically, make sure your team knows to grab and apply this one.