Office has long been used as a means to infiltrate our systems a means by which attackers get into our systems. Every month Office is patched for remote code execution attacks.
Microsoft patches what vulnerabilities it can. Take the November Office updates that fixed issues with older obsolete components in Office 2016 that impacted ODBC drivers. But as pointed out in this research blog post, mitigation in addition to patching is probably wise.
The view that mitigation may be better than patching is reinforced with the disclosure of another Office vulnerability that won’t be patched. It can’t be patched, as it impacts functionality of your system. You have to make the determination of how much at risk you want to be. Called the DDEAuto attacks allows the execution of malicious code on an email without the use of attachments or macros. These macro-less attacks have been used in various attacks such as malware campaigns such as Vortex ransomware and Hancitor.
In the example noted in the Sophos blog, an attack can come from in the form of a calendar invite instead of an email. The attachment is in the form of a RTF – or rich text format – and is often not in the form of a traditional attachment. So what can one do if you want to protect yourself from these attacks? Stop opening emails? Don’t open Excel or Word documents? An admirable protection scheme but not realistic to most computer users — and especially not to small businesses.
Microsoft has long built into its Office products the means to exchange data between applications and other platforms. Dynamic Data Exchange or DDE is one such method.