Microsoft has finally admitted what was obvious to everyone else, that the DDE part of Office is dangerous and should be disabled.
The latest patches have finally provided a way to disable the DDE feature in Office, either completely or in part. Something that’s looooong overdue.
Sidebar
There are two main ways for Office programs to exchange information (e.g. add an Excel worksheet into a Word document).
DDE or Dynamic Data Exchange was the original Office method.
OLE or Object Linking and Embedding replaced DDE many years ago,
DDE should be dead like the proverbial parrot. It’s a hackers dream and has been used to infect computers for years. Every time a new DDE exploit is found, Microsoft patches this old technology.
Once you’ve installed the December 2017 security updates for Office 2016, 2013, 2010 and 2007 DDE is disabled.
Restoring DDE
For the vast majority, DDE is not needed and the new default won’t make any difference to the way you use Office.
If you need DDE for some purpose, go into the Registry to enable it fully or, better, use the new ‘middle path’ which stops new programs starting.
\HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Word\Security
Replace <version> with the internal version for Office:
Office 2016=16.0 Office 2013=15.0 Office 2010=14.0 Office 2007=12.0
Create or use the key AllowDDE a DWORD value:
0: Disables DDE The new default setting after you install the Dec. 2017 update. Leave DDE disabled unless you have a specific reason for letting it work.
1: Allows DDE requests but only to an already running program. DDE can’t launch another executable program.
2: Fully allow DDE requests, NOT recommended unless you’re really sure.
What took Microsoft so long?
This option should have been available for a long time. Microsoft appears to be reluctant to drop DDE because it would be an admission of the security problems inherent in the technology.
