How to fix MS Office Vulnerabilities

Dear EE,

I have two vulnerabilities.


1:- Microsoft Office Dynamic Data Exchange (DDE) Vulnerability (KB 4053440) (ADV170021)

2:- Microsoft Office and Microsoft Office Services and Web Apps Security Update January 2018


My client has reported DDE vulnerability in there production environment having Microsoft Office Professional Plus 2010 64 Bit.

Can you please help me how can i make / configure DDE vulnerability in my local environment with same Microsoft Office Professional Plus 2010 64 Bit.

So that i can then FIX it and share the steps to my client.

After fixing first one we will move to 2nd one.

Thanks
03-Apr-18-12-41-00-PM.jpg
Netsol-NOSAsked:
Who is Participating?
 
btanExec ConsultantCommented:
Should use the plugin in to scan for the KB installed (for various MS office). Don't think you really need to create a proof of concept to test vulnerability. Nonetheless it did not work out either.
https://www.tenable.com/plugins/nessus/105192
0
 
Netsol-NOSAuthor Commented:
Dear David,

Thank you for your quick reply.

Please see that first we need to reproduce these two Vulnerabilities.
What will be the steps ?

Thanks
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
btanExec ConsultantCommented:
To replicate the exploit, first you need to make the Word or office apps check "Update automatic links at open."
click on "File" in the top left. Then, when a blue bar appears along the left of the screen, click "Options," which will be at the very bottom. The Word Options box will appear. Click on the "Advanced" tab, then scroll almost all the way down until you see General and "Update automatic links at open."
If you have multiple machines under management control, you can disable DDE execution via registry keys.

Thereafter proceed to the below options

For Word, add a formula with the below. DDEAUTO is telling Word that this is a DDE field, the auto part tells it to execute upon opening. This will use cmd.exe to launch calc.exe
   DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"
Once everything is in place, we are ready to save the file. Press Ctrl + S to save, then save it anywhere as a ".docx" file, which is the standard for Word. When opened, the user will need to say yes to two pop-ups.
The first is about updating the document links, which shouldn't strike the average user as suspicious. The second one might draw some attention from the more security-minded users, as it asks them about starting an application. If all goes well and the user says yes to both, then the code will execute at this point and your target will do a fright to themselves.
https://null-byte.wonderhowto.com/how-to/execute-code-microsoft-word-document-without-security-warnings-0180495/

For Excel, you can do it too which can also be writing  a short formula (below) to start a command prompt.
  =MSEXCEL|'\..\..\..\Windows\System32\cmd.exe /c calc.exe'!''

https://null-byte.wonderhowto.com/how-to/exploit-dde-microsoft-office-defend-against-dde-based-attacks-0180706/
0
 
Netsol-NOSAuthor Commented:
Dear Btan,

Thanks for your reply.

Little complicated to reproduce.

Let me follow the steps then i will update you.

Thanks
0
 
Netsol-NOSAuthor Commented:
Dear Btan,

I have tried but as per the below link

https://null-byte.wonderhowto.com/how-to/execute-code-microsoft-word-document-without-security-warnings-0180495/

i only found first Yes option as per below screenshot.

12-Apr-18-4-45-18-PM.jpg
I can not get the second YES option.

Thanks
12-Apr-18-4-45-18-PM.jpg
0
 
btanExec ConsultantCommented:
Same as you when I tried it out and I suspect other newer office version 2013 has such additional prompt. Another is the trust centre setting but have not gone deep to try all, so far no findings too.
0
 
Netsol-NOSAuthor Commented:
Actually we are using Nessus  scanning tool for scanning vulnerability. And through this tool we  are unable to find this two vulnerabilities.

1:- Microsoft Office Dynamic Data Exchange (DDE) Vulnerability (KB 4053440) (ADV170021)

2:- Microsoft Office and Microsoft Office Services and Web Apps Security Update January 2018

Please suggest.
Even though we have synchronized our Office with the clients office same to same.
0
 
Netsol-NOSAuthor Commented:
Dear Btan,

Thanks for the link, very much appreciated.

I have a question can we REPRODUCE these two vulnerabilities if YES then please help me how.

My environment and the Client environment (Who actually reported these two issues) is almost same with respect to MS OFFICE 2010 Professional please see attached screenshot for reference.

Thanks
Compare.jpg
0
 
Netsol-NOSAuthor Commented:
Dear Btan,

Don't think you really need to create a proof of concept to test vulnerability. Nonetheless it did not work out either

I got your point ok fair enough.

Can you please also help me for the 2nd one.

2:- Microsoft Office and Microsoft Office Services and Web Apps Security Update January 2018


Thanks
0
 
btanExec ConsultantCommented:
One quick way is to use the plugin to scan for all January 2018 update. Try running through the plugin list and refine searxhto office and web apps

https://www.tenable.com/plugins/search?q=Microsoft%20January%20&sort=&page=1
0
 
Netsol-NOSAuthor Commented:
Dear Btan was very helpfull during all the conversation for resolving Office (DDE) vulnerability.
0
 
btanExec ConsultantCommented:
Thanks for the kind words. Glad I have helped.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.