The Power Query exploit in Excel is a concern but one that most Excel users are already protected from. Look past some of the shock headlines (e.g “120 million users personal information at stake due to Microsoft Excel flaw”) .
Mimecast did a good job tracing this security bug in Power Query which has existed for many past versions of Excel. Because Power Query’s purpose is to grab data from external sources, it’s an opportunity for hackers to try infiltrating a computer through a link which imports code to compromise a computer.
Most anti-virus software won’t detect the exploit when checking the malicious Excel worksheet. Like modern attacks, the troublemaking code is imported from the web not included in the worksheet.
Microsoft has not directly addressed this Power Query exploit and customer concern. Instead they point to Microsoft Security Advisory 4053440 which is a typically Microsoft ‘clear as mud’ obfuscation.
DDE is already dead
The key to this Power Query exploit is DDE (Dynamic Data Exchange) an old and superseded Office technology.
Back in December 2017, Microsoft patched Office 2016 (365), 2013, 2010 and 2000 to disable DDE by default. See DDE is finally dead … what took Microsoft so long?
While DDE is old, it’s still in use, so in January 2018, Microsoft added some more Excel DDE options. To allow users and administrators permit DDE in some situations but close off most DDE access.
With DDE unavailable, the new Power Query exploit won’t work.
The quick check of your Excel DDE status is at Options | Trust Center | Trust Center Settings | External Content | Security Settings for Dynamic Data Exchange.
The current defaults are:
Enable Dynamic Data Exchange Server Lookup – ON
Lookup gets data from an already running program or source.
Enable Dynamic Data Exchange Server Launch OFF
Launch will start a program so that Excel can get data from it.
If you want to be extra careful and sure you don’t need it, turn off the DDE Lookup option.