Surprise! Excel gets a variation of the Word DDE block settings

Tucked away in an old Security Advisory, Microsoft announces new registry settings that control the automatic behavior of Dynamic Data Exchange in Excel.

Excel gets a variation of the Word DDE block settings
PC World

You  may recall that Microsoft disabled automatic Dynamic Data Exchange (DDE) in Word back in December. I wrote about the problem and its solution in "Office as a malware delivery platform: DDE, Scriptlets, Macro obfuscation." Microsoft stopped automatic DDE, the {DDEAUTO} field in Word, while setting up certain registry entries that can soften that decision.

This month, I was surprised to discover Microsoft has made a roughly analogous change in Excel. Applying this month’s Excel security patches doesn’t change the DDE server launch and DDE server lookup settings, but it does give admins the ability to stifle both of the user prompts associated with DDE access.

For example, if your workbook contains a DDEInitiate command, before the DDE connection gets established, by default the user sees a prompt like the one in the screenshot.

remote data not accessible Woody Leonhard/IDG

Excel’s behavior with DDE is quite different from Word’s, so these new settings and their meanings are different. Excel has long had three settings that limit DDE built into the product itself:

  • The Update links to other documents option in the Advanced section of the Excel Options dialog box.
  • The startup prompt for the workbook can be set to Don't display the alert and don't update automatic links.
  • Prompt user about Data Connections or Disable automatic update of workbook links option in the External Content section of the Trust Center.

This month’s four Excel security patches — KB 4011602 for Excel 2007, KB 4011660 for Excel 2010, KB 4011639 for Excel 2013 and KB 4011627 for Excel 2016 — each add two new registry entries. One of the new registry settings instructs Excel to skip the DDEInitiate dialog box (per the screenshot) and act as if the user clicked "No." The other tells Excel to ignore DDE requests coming from elsewhere on the machine.

All of this came as quite a surprise to me because Microsoft didn’t bother to document any of it in this month’s security bulletins. Instead, the description has been added to last year’s Security Advisory 170021.

If you’re interested in blocking potentially spurious DDE requests in Excel, look at Security Advisory 170021.

Thx, @MrBrian on AskWoody.

Office patches curdling your brain? Join us for therapy on the AskWoody Lounge.

Copyright © 2018 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon