Microsoft Excel, Microsoft Office, Office 2007, Office 2010, Office 2013, Office 2016, Office 2019, Office 365 /

Excel’s Power Query security exploit is a worry, but not a big worry

2 July 2019

The Power Query exploit in Excel is a concern but one that most Excel users are already protected from. Look past some of the shock headlines (e.g “120 million users personal information at stake due to Microsoft Excel flaw”) .

Mimecast did a good job tracing this security bug in Power Query which has existed for many past versions of Excel. Because Power Query’s purpose is to grab data from external sources, it’s an opportunity for hackers to try infiltrating a computer through a link which imports code to compromise a computer.

Most anti-virus software won’t detect the exploit when checking the malicious Excel worksheet. Like modern attacks, the troublemaking code is imported from the web not included in the worksheet.

Microsoft has not directly addressed this Power Query exploit and customer concern. Instead they point to Microsoft Security Advisory 4053440 which is a typically Microsoft ‘clear as mud’ obfuscation.

DDE is already dead

The key to this Power Query exploit is DDE (Dynamic Data Exchange) an old and superseded Office technology.

Back in December 2017, Microsoft patched Office 2016 (365), 2013, 2010 and 2000 to disable DDE by default. See DDE is finally dead … what took Microsoft so long?

While DDE is old, it’s still in use, so in January 2018, Microsoft added some more Excel DDE options. To allow users and administrators permit DDE in some situations but close off most DDE access.

With DDE unavailable, the new Power Query exploit won’t work.

The quick check of your Excel DDE status is at Options | Trust Center | Trust Center Settings | External Content | Security Settings for Dynamic Data Exchange.

The current defaults are:

Secrets and tips for the Windows 10 May 2019 update

A detailed and independent look at Windows 10, especially for Microsoft Office.

Fully up-to-date with coverage of the May 2019 major update of Windows 10.

This 918 page book shows you important features and details for all serious Windows 10 users.

Enable Dynamic Data Exchange Server Lookup – ON

Lookup gets data from an already running program or source.

Enable Dynamic Data Exchange Server Launch OFF

Launch will start a program so that Excel can get data from it.

If you want to be extra careful and sure you don’t need it, turn off the DDE Lookup option.

Want More?

Office Watch has the latest news and tips about Microsoft Office. Independent since 1996. Delivered once a week.

We never share your email address with anyone - never have, never will. Privacy Policy.