Microsoft has released two security enhancements as defense-in-depth measures for Excel in the January 2022 update. These security enhancements disable Dynamic Data Exchange (DDE) and automatic activation of OLE (Object Linking and Embedding) objects in all supported versions of Excel.
Dynamic Data Exchange (DDE)
In January 2018, controls to disable DDE server lookup and DDE server launch were added to all supported versions of Excel.
In August 2019, Office 365 versions >= 1902 had DDE server launch disabled and Group Policy support was added for both DDE server lookup and DDE server launch.
In Office 2021, DDE server launch is disabled and Group Policy support for both DDE settings is present.
The January 2022 update disables DDE server launch in all supported versions of Excel and provides Group Policy support for this setting in Office 2016 and Office 2019. Users who have previously configured these settings will not be affected by this update.
Restoring old behavior
Users and administrators who wish to enable DDE server launch can choose from the following options:
-
For Office 2019, Office LTSC 2021, and Office 365, users can control DDE settings in the External Content section of Trust Center Settings.
-
For all Office versions, users and administrators may set the appropriate registry value for DDE server launch.
-
For Office 2016, Office 2019, Office LTSC 2021, and Office 365, administrators may use Group Policy to re-enable DDE server launch.
Warning: Warning: this will prevent users from disabling DDE server launch on their machines.
For more information about the DDE defense-in-depth enhancement and how to re-enable DDE server launch via the registry or group policy, see ADV170021 - Security Update Guide - Microsoft - Microsoft Office Defense in Depth Update.
Automatic activation of OLE (Object Linking and Embedding) Objects
The January 2022 update disables automatic activation of OLE objects for all supported versions of Excel. Users wishing to activate OLE objects must manually activate them after opening the file.
Restoring old behavior
Users who wish to restore automatic activation of OLE objects can do this:
-
Open Registry Editor
Caution: Editing the registry incorrectly might severely damage your system. Before you make changes to the registry, we recommend that you back up any valued data on the computer.
-
Add the following registry value as a DWORD:
-
Office 2013: Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Security\BlockOleAutoActivate
-
Office 2016, 2019, 2021, 365: Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\BlockOleAutoActivate
-
-
Set the value to 0
-
Restart Excel
To re-enable the OLE auto-activation block, set the registry value to 1.