{
	"id": "22ed3dae-7a4d-4b0b-a71f-c8f2520c0a6e",
	"created_at": "2026-04-06T00:11:26.505665Z",
	"updated_at": "2026-04-10T03:21:49.041859Z",
	"deleted_at": null,
	"sha1_hash": "84e776ec4f561e2a95306b58ca5650bb1fb402d8",
	"title": "Microsoft Security Advisory 4053440",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 70095,
	"plain_text": "Microsoft Security Advisory 4053440\r\nBy BetaFred\r\nArchived: 2026-04-02 10:35:52 UTC\r\nSecurely opening Microsoft Office documents that contain Dynamic Data\r\nExchange (DDE) fields\r\nPublished: November 8, 2017 | Updated: January 9, 2018\r\nVersion: 3.0\r\nExecutive Summary\r\nMicrosoft is releasing this security advisory to provide information regarding security settings for Microsoft\r\nOffice applications. This advisory provides guidance on what users can do to ensure that these applications are\r\nproperly secured when processing Dynamic Data Exchange (DDE) fields.\r\nAbout Dynamic Data Exchange\r\nMicrosoft Office provides several methods for transferring data between applications. The DDE protocol is a set\r\nof messages and guidelines. It sends messages between applications that share data, and uses shared memory to\r\nexchange data between applications. Applications can use the DDE protocol for one-time data transfers and for\r\ncontinuous exchanges in which applications send updates to one another as new data becomes available.\r\nScenario\r\nIn an email attack scenario, an attacker could leverage the DDE protocol by sending a specially crafted file to the\r\nuser and then convincing the user to open the file, typically by way of an enticement in an email. The attacker\r\nwould have to convince the user to disable Protected Mode and click through one or more additional prompts. As\r\nemail attachments are a primary method an attacker could use to spread malware, Microsoft strongly recommends\r\nthat customers exercise caution when opening suspicious file attachments.\r\nDDE Feature Control Keys\r\nMicrosoft Office provides several feature control keys that are stored in the registry and are responsible for\r\nmodifying product functionality, improving support for industry standards, and improving security. Microsoft has\r\ndocumented these feature control keys and recommends enabling specific feature control keys for security\r\nreasons. See the following:\r\nhttps://technet.microsoft.com/library/security/4053440\r\nPage 1 of 6\n\nOffice 2016: Secure and control access to Office\r\nOffice 2013: Secure Office 2013\r\nMicrosoft strongly encourages all users of Microsoft Office to review the security-related feature control keys and\r\nto enable them. Setting the registry keys described in the following sections disables automatic update of data\r\nfrom linked fields.\r\nUpdate On December 12, 2017, Microsoft released an update for all supported editions of Microsoft Word that\r\nallows users to set the functionality of the DDE protocol based on their environment. For more information and to\r\ndownload the update, see ADV170021.\r\nUpdate On January 9, 2018, Microsoft released an update for all supported editions of Microsoft Excel that\r\nallows users to set the functionality of the DDE protocol based on their environment. For more information and to\r\ndownload the update, see ADV170021.\r\nMitigating DDE Attack Scenarios\r\nUsers who wish to take immediate action can protect themselves by manually creating and setting registry entries\r\nfor Microsoft Office. Use the following instructions to set the registry keys based on the Office applications\r\ninstalled on your system.\r\nWarning: If you use Registry Editor incorrectly, you could cause serious problems that could require you to\r\nreinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using\r\nRegistry Editor incorrectly. Use Registry Editor at your own risk.\r\nMicrosoft recommends that you back up your Registry before making any changes to registry entries.\r\nMicrosoft Excel\r\nExcel depends on the DDE feature to launch documents.\r\nTo prevent automatic update of links from Excel (including DDE, OLE, and external cell or defined name\r\nreferences), refer to the following table for the registry key version string to set for each version:\r\nOffice Version Registry Key \u003cversion\u003e string\r\nOffice 2007 12.0\r\nOffice 2010 14.0\r\nOffice 2013 15.0\r\nOffice 2016 16.0\r\nTo disable the DDE feature via the user interface:\r\nSet File-\u003eOptions-\u003eTrust Center-\u003eTrust Center Settings…-\u003eExternal Content-\u003eSecurity settings for\r\nWorkbook Links = Disable automatic update of Workbook Links.\r\nTo disable the DDE feature via the Registry Editor:\r\nhttps://technet.microsoft.com/library/security/4053440\r\nPage 2 of 6\n\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\u003c/version\u003e\u003cversion\u003e\\Excel\\Security]\r\nWorkbookLinkWarnings(DWORD) = 2\r\nImpact of mitigation: Disabling this feature could prevent Excel spreadsheets from updating dynamically if\r\ndisabled in the registry. Data might not be completely up-to-date because it is no longer being updated\r\nautomatically via live feed. To update the worksheet, the user must start the feed manually. In addition, the user\r\nwill not receive prompts to remind them to manually update the worksheet.\r\nMicrosoft Outlook\r\nRefer to the following table for the registry key version string to set for each Office version:\r\nOffice Version Registry Key \u003c/version\u003e string\r\nOffice 2010 14.0\r\nOffice 2013 15.0\r\nOffice 2016 16.0\r\nFor Office 2010 and later versions, to disable the DDE feature via the Registry Editor:\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\u003c/version\u003e\u003cversion\u003e\\Word\\Options\\WordMail]\r\n DontUpdateLinks(DWORD)=1\r\nFor Office 2007, to disable the DDE feature via the Registry Editor:\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\12.0\\Word\\Options\\vpref]\r\nfNoCalclinksOnopen_90_1(DWORD)=1\r\nImpact of mitigation: Setting this registry key will disable automatic update for DDE field and OLE links. Users\r\ncan still enable the update by right-clicking on the field and clicking “Update Field”.\r\nMicrosoft Publisher\r\nA Word document using the DDE protocol that is imbedded within a Publisher document could be a possible\r\nattack vector. You can help prevent this attack vector by applying the Word registry key modification. See the\r\nfollowing section for the Word registry key values.\r\nMicrosoft Word\r\nSee ADV170021 for an update for Microsoft Word that allows users to set the functionality of the DDE protocol\r\nbased on their environment.\r\nRefer to the following table for the registry key version string to set for each Office version:\r\nhttps://technet.microsoft.com/library/security/4053440\r\nPage 3 of 6\n\nOffice Version Registry Key \u003c/version\u003e string\r\nOffice 2010 14.0\r\nOffice 2013 15.0\r\nOffice 2016 16.0\r\nFor Office 2010 and later versions, to disable the DDE feature via the Registry Editor:\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\u003c/version\u003e\u003cversion\u003e\\Word\\Options]\r\nDontUpdateLinks(DWORD)=1\r\nFor Office 2007, to disable the DDE feature via the Registry Editor:\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\12.0\\Word\\Options\\vpref]\r\nfNoCalclinksOnopen_90_1(DWORD)=1\r\nImpact of mitigation: Setting this registry key will disable automatic update for DDE field and OLE links. Users\r\ncan still enable the update by right-clicking on the field and clicking “Update Field”.\r\nWindows 10 Fall Creators Update (version 1709)\r\nUsers of the Windows 10 Fall Creators Update can leverage Windows Defender Exploit Guard to block DDE-based malware with Attack surface reduction (ASR) rules.\r\nASR is a component within Windows Defender Exploit Guard that provides enterprises with a set of built-in\r\nintelligence that can block the underlying behaviors used by malicious documents to execute attacks without\r\nhindering product operation. By blocking malicious behaviors independent of what the threat or exploit is, ASR\r\ncan protect enterprises from never-before-seen zero-day attacks like these recently discovered vulnerabilities:\r\nCVE-2017-8759, CVE-2017-11292, and CVE-2017-11826.\r\nFor Office apps, ASR can:\r\nBlock Office apps from creating executable content\r\nBlock Office apps from launching child process\r\nBlock Office apps from injecting into process\r\nBlock Win32 imports from macro code in Office\r\nBlock obfuscated macro code\r\nEmerging exploits like DDEDownloader use the Dynamic Data Exchange (DDE) popup in Office documents to\r\nrun a PowerShell downloader; however, in doing so, they launch a child process that the corresponding child\r\nprocess rule blocks.\r\nWindows Defender Exploit Guard can be used with Windows Defender Advanced Threat Protection (ATP) to\r\ninvestigate and respond to enterprise-level security risks and issues. To learn more about Windows Defender\r\nhttps://technet.microsoft.com/library/security/4053440\r\nPage 4 of 6\n\nExploit Guard and Windows Defender ATP, see:\r\nWindows Defender Exploit Guard\r\nWindows Defender Advanced Threat Protection\r\nEnroll in a free trial for Windows Defender ATP\r\nWindows Defender Exploit Guard: Reduce the attack surface against next-generation malware\r\nMicrosoft is researching this issue further and will post more information in this article when the information\r\nbecomes available.\r\nAdditional Suggested Actions\r\nProtect your PC\r\nWe continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall,\r\ngetting software updates, and installing antivirus software. For more information, see Microsoft Safety \u0026\r\nSecurity Center.\r\nKeep Microsoft Software Updated\r\nUsers running Microsoft software should apply the latest Microsoft security updates to help make sure that\r\ntheir computers are as protected as possible. If you are not sure whether your software is up to date, visit\r\nMicrosoft Update, scan your computer for available updates, and install any high-priority updates that are\r\noffered to you. If you have automatic updating enabled and configured to provide updates for Microsoft\r\nproducts, the updates are delivered to you when they are released, but you should verify that they are\r\ninstalled.\r\nOther Information\r\nDisclaimer\r\nThe information provided in this advisory is provided \"as is\" without warranty of any kind. Microsoft disclaims all\r\nwarranties, either express or implied, including the warranties of merchantability and fitness for a particular\r\npurpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including\r\ndirect, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft\r\nCorporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the\r\nexclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not\r\napply.\r\nRevisions\r\nV1.0 (November 8, 2017): Advisory published.\r\nV1.1 (November 30, 2017): Updated the Windows 10 Fall Creators Update section with more information\r\nabout the Attack surface reduction (ASR) rules. This is an informational change only.\r\nV2.0 (December 12, 2017): Microsoft has released an update for all supported editions of Microsoft Word\r\nthat allows users to set the functionality of the DDE protocol based on their environment. For more\r\ninformation and to download the update, see ADV170021.\r\nhttps://technet.microsoft.com/library/security/4053440\r\nPage 5 of 6\n\nV3.0 (January 9, 2018): Microsoft has released an update for all supported editions of Microsoft Excel that\r\nallows users to set the functionality of the DDE protocol based on their environment. For more information\r\nand to download the update, see ADV170021.\r\nSource: https://technet.microsoft.com/library/security/4053440\r\nhttps://technet.microsoft.com/library/security/4053440\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://technet.microsoft.com/library/security/4053440"
	],
	"report_names": [
		"4053440"
	],
	"threat_actors": [],
	"ts_created_at": 1775434286,
	"ts_updated_at": 1775791309,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84e776ec4f561e2a95306b58ca5650bb1fb402d8.pdf",
		"text": "https://archive.orkl.eu/84e776ec4f561e2a95306b58ca5650bb1fb402d8.txt",
		"img": "https://archive.orkl.eu/84e776ec4f561e2a95306b58ca5650bb1fb402d8.jpg"
	}
}