Cyber Resilience

CVE-2012-1856

HighCISA KEVActive ExploitationEUVD Exploited

Published: 15 August 2012

Published
15 August 2012
Modified
22 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9155 99.7th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2012-1856 is a high-severity an unspecified weakness vulnerability in Microsoft Sql Server. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2012-1856 is a remote code execution flaw in the TabStrip ActiveX control within MSCOMCTL.OCX, part of the Common Controls library. It affects Microsoft Office 2003 SP3, Office 2003 Web Components SP3, Office 2007 SP2 and SP3, Office 2010 SP1, SQL Server 2000 SP4 through R2 SP2, Commerce Server 2002 SP4 through 2009 R2, Host Integration Server 2004 SP1, Visual FoxPro 8.0 SP1 and 9.0 SP2, and the Visual Basic 6.0 Runtime. The issue manifests when the control processes crafted input that triggers system-state corruption.

Remote attackers can exploit the flaw by supplying a malicious document or web page that the victim opens or views, resulting in arbitrary code execution on the target system. The attack requires no authentication and can be delivered over the network, though user interaction is necessary; the associated CVSS 3.1 score is 8.8 with high impact on confidentiality, integrity, and availability.

Microsoft Security Bulletin MS12-060, US-CERT alert TA12-227A, and related OVAL definitions describe available patches and mitigation steps for the listed products.

EU & UK References

Vulnerability details

The TabStrip ActiveX control in the Common Controls in MSCOMCTL.OCX in Microsoft Office 2003 SP3, Office 2003 Web Components SP3, Office 2007 SP2 and SP3, Office 2010 SP1, SQL Server 2000 SP4, SQL Server 2005 SP4, SQL Server 2008 SP2,…

more

SP3, R2, R2 SP1, and R2 SP2, Commerce Server 2002 SP4, Commerce Server 2007 SP2, Commerce Server 2009 Gold and R2, Host Integration Server 2004 SP1, Visual FoxPro 8.0 SP1, Visual FoxPro 9.0 SP2, and Visual Basic 6.0 Runtime allows remote attackers to execute arbitrary code via a crafted (1) document or (2) web page that triggers system-state corruption, aka "MSCOMCTL.OCX RCE Vulnerability."

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
commerce server
2002, 2007, 2009
microsoft
host integration server
2004
microsoft
office
2003, 2007, 2010
microsoft
office web components
2003
microsoft
sql server
2000, 2005, 2008
microsoft
visual basic
6.0
microsoft
visual foxpro
8.0, 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly restricts execution of untrusted mobile code (ActiveX controls in MSCOMCTL.OCX) delivered via documents or web pages.

prevent

Requires timely application of vendor patches that remediate the MSCOMCTL.OCX RCE flaw before exploitation.

prevent

Enforces least functionality by disabling or restricting unnecessary ActiveX controls and COM components that enable the attack vector.

References