What if I told you that there is a method will let you execute commands on Microsoft Word without any Macros, or memory corruption?!
This Macro-less code execution in Microsoft Word technique has been described in detail by two security researchers from Sensepost, the technique leverages a built-in option of Microsoft Office, named Dynamic Data Exchange (DDE), to execute code.
“Windows provides several methods for transferring data between applications. One method is to use the Dynamic Data Exchange (DDE) protocol. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications.”
The researchers used dynamic data exchange – which is an older technology once used for coding and automation within MS Office applications.This method works even with macros disabled – because it’s not using the macro subsystem.
Many applications use the Dynamic Data Exchange protocol such as Microsoft’s Excel, Microsoft Word, and Visual Basic.
According to researchers:
we noticed that the COM methods DDEInitialize, and DDEExecute were exposed by both MSExcel, and MSWord. Since DDE gave us command execution on MSExcel, we decided to embark on a journey to discover how we can use DDE in MSWord and to see if command execution could also be achieved from it.
This technique was seen actively being exploited in the wild by attackers to target several companies using spoofed phishing emails to make them seem as if they are coming from trusted sources.
Microsoft doesn’t acknowledge this as a security flaw, the company said that the DDE protocol is a feature that can not be eliminated but could be updated with better warning alerts for users in future.