, , , , , , , /

Excel’s Power Query security exploit is a worry, but not a big worry


Office for Mere Mortals
Your beginners guide to the secrets of Microsoft Office
Invalid email address
Tips and help for Word, Excel, PowerPoint and Outlook from Microsoft Office experts.  Give it a try. You can unsubscribe at any time.  Office for Mere Mortals has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy

The Power Query exploit in Excel is a concern but one that most Excel users are already protected from. Look past some of the shock headlines (e.g “120 million users personal information at stake due to Microsoft Excel flaw”) .

Mimecast did a good job tracing this security bug in Power Query which has existed for many past versions of Excel. Because Power Query’s purpose is to grab data from external sources, it’s an opportunity for hackers to try infiltrating a computer through a link which imports code to compromise a computer.

Most anti-virus software won’t detect the exploit when checking the malicious Excel worksheet.  Like modern attacks, the troublemaking code is imported from the web not included in the worksheet.

Microsoft has not directly addressed this Power Query exploit and customer concern.  Instead they point to Microsoft Security Advisory 4053440 which is a typically Microsoft ‘clear as mud’ obfuscation.

DDE is already dead

The key to this Power Query exploit is DDE (Dynamic Data Exchange) an old and superseded Office technology.

Back in December 2017, Microsoft patched Office 2016 (365), 2013, 2010 and 2000 to disable DDE by default.  See DDE is finally dead … what took Microsoft so long?

While DDE is old, it’s still in use, so in January 2018, Microsoft added some more Excel DDE options. To allow users and administrators permit DDE in some situations but close off most DDE access.

With DDE unavailable, the new Power Query exploit won’t work.

The quick check of your Excel DDE status is at Options | Trust Center | Trust Center Settings | External Content | Security Settings for Dynamic Data Exchange.

excels power query security exploit is a worry but not a big worry microsoft excel 28945 - Excel’s Power Query security exploit is a worry, but not a big worry

The current defaults are:

Enable Dynamic Data Exchange Server Lookup – ON

Lookup gets data from an already running program or source.

Enable Dynamic Data Exchange Server Launch OFF

Launch will start a program so that Excel can get data from it.

If you want to be extra careful and sure you don’t need it, turn off the DDE Lookup option.

subs profile e1563205311409 - Excel’s Power Query security exploit is a worry, but not a big worry
Latest news & secrets of Microsoft Office

Microsoft Office experts give you tips and help for Word, Excel, PowerPoint and Outlook.

Give it a try. You can unsubscribe at any time.  Office Watch has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy
Invalid email address