CVE-2012-0158
Published: 10 April 2012
Summary
CVE-2012-0158 is a high-severity Code Injection (CWE-94) vulnerability in Microsoft Office. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-3 (Malicious Code Protection).
Deeper analysis
The vulnerability is a remote code execution flaw, identified as CWE-94, in the ListView, ListView2, TreeView, and TreeView2 ActiveX controls within MSCOMCTL.OCX from the Microsoft Common Controls library. It affects a wide range of products including Microsoft Office 2003 SP3, 2007 SP2/SP3, and 2010 Gold/SP1 along with Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2/SP3/R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold/R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and the Visual Basic 6.0 Runtime. The flaw stems from improper handling of crafted input that corrupts system state.
Remote attackers can exploit the issue by delivering a malicious web site, Office document, or RTF file to a target system. Successful exploitation grants the ability to execute arbitrary code with the privileges of the current user, enabling full compromise of affected applications and underlying data.
The issue was exploited in the wild as of April 2012. Public references such as SecurityFocus BID 52911 and multiple SecurityTracker entries (1026899, 1026900, 1026902) along with related analyses document the vulnerability and its observed use in targeted attacks.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2012-0196
Vulnerability details
The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000…
more
SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability."
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Restricts or disables use of ActiveX mobile code (MSCOMCTL.OCX controls) that can be invoked by crafted documents or web content to achieve RCE.
Deploys malicious-code protection mechanisms that detect and block the crafted Office/RTF/web payloads exploiting the ListView/TreeView ActiveX flaw.
Disables or removes the unnecessary MSCOMCTL.OCX ActiveX components, reducing the attack surface for the documented RCE vector.