Given there are two prompts that the document is trying to do something "different", and the second tells you explicitly it's trying to run an executable and provides a path, is this realistically exploitable?
Even if you've specifically asked that next time it happens they stop and read you the error, they'll click OK and text you "There was an error can you fix it?"
The other scenario where this kind of thing can be useful is poorly secured "kiosks", aka, you want to run arbitrary code but the administrator of that machine doesn't want you to. Macros can be disabled by group policy.
It doesn’t even come with red text and warning signs. Users don’t read this stuff and even if they do, it’s easy to explain the warnings away in the document or the email that contains it.
It is just stupid design and there is no excuse this is still in a supported application in 2017. But then again, what would you expect from Microsoft Office.
But then it's really not much better than spamming a .ps1 or .js script (handled by Windows Script Host by default), or even straight up executable as many already do.
If they're at that level then there's really not much you can do but avoid having them get the stuff in the first place.
So can this, it'd be fairly trivial to detect and block anything using DDE at the file level - however a common strategy is to send an encrypted archive file and give the password in the email to bypass that detection. Trashing all encrypted archives automatically.... ehh, maybe viable?
Oh, to be a fly on the wall of those naive folks that spread DDE, then OLE, then ActiveX all over MS Office, and the poor folks who are now struggling to find and gate every nook and cranny that gunk ended up in.
I'm 51. We PC nerds played with IPC via DDE and even Net DDE in the early 90's Netware days before TCP/IP and HTTP took over with XML or JSON in tow. A script connected "Emacs Lisp" for office automation is still a good idea for professionals. The programmable spreadsheet changed the world in the 1980's like few today could ever imagine. They gave out Office to everyone en masse after that. But Hack attacks via email are not always front and center considerations. IPC interoperability is important for folks actually customizing workstation workflows.
> The second prompt asks the user whether or not they want to execute the specified application, now this can be considered as a security warning since it asks the user to execute “cmd.exe”, however with proper syntax modification it can be hidden.
The warning is a security feature, but they didn't elaborate on how you can bypass it with "proper syntax modification". If that's true, then it should be considered at least somewhat exploitable.
Yeah, I wonder if we need two paradigms here. Clicking things should only be for non-executable read-only stuff. And we need another UI verb for when we want to execute code, read/write, etc. Hard to get people onboard though, when they're just used to doing it one way.
The primary issue for me is that in protected mode, you can't copy to clipboard. So I can't take a note and send it to someone, I can't paste something into a ticket system, etc etc. I have to admit I'm pretty used to just clicking out of protected mode.
Word exits protected mode just to print. Apparently you can create screen pixels from that mode, but not if they're going to end up in a PDF or on paper.
I believe this unfortnuate idea was introduced in 1993 with windows 3.1. This was sold as a way for an application like powerpoint to script access to data for say, a chart, from a spreadsheet file. This way when the spreadsheet was updated, the powerpoint was as well.
