CVE-2012-1856
Published: 15 August 2012
Summary
CVE-2012-1856 is a high-severity an unspecified weakness vulnerability in Microsoft Sql Server. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability CVE-2012-1856 is a remote code execution flaw in the TabStrip ActiveX control within MSCOMCTL.OCX, part of the Common Controls library. It affects Microsoft Office 2003 SP3, Office 2003 Web Components SP3, Office 2007 SP2 and SP3, Office 2010 SP1, SQL Server 2000 SP4 through R2 SP2, Commerce Server 2002 SP4 through 2009 R2, Host Integration Server 2004 SP1, Visual FoxPro 8.0 SP1 and 9.0 SP2, and the Visual Basic 6.0 Runtime. The issue manifests when the control processes crafted input that triggers system-state corruption.
Remote attackers can exploit the flaw by supplying a malicious document or web page that the victim opens or views, resulting in arbitrary code execution on the target system. The attack requires no authentication and can be delivered over the network, though user interaction is necessary; the associated CVSS 3.1 score is 8.8 with high impact on confidentiality, integrity, and availability.
Microsoft Security Bulletin MS12-060, US-CERT alert TA12-227A, and related OVAL definitions describe available patches and mitigation steps for the listed products.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2012-1866
Vulnerability details
The TabStrip ActiveX control in the Common Controls in MSCOMCTL.OCX in Microsoft Office 2003 SP3, Office 2003 Web Components SP3, Office 2007 SP2 and SP3, Office 2010 SP1, SQL Server 2000 SP4, SQL Server 2005 SP4, SQL Server 2008 SP2,…
more
SP3, R2, R2 SP1, and R2 SP2, Commerce Server 2002 SP4, Commerce Server 2007 SP2, Commerce Server 2009 Gold and R2, Host Integration Server 2004 SP1, Visual FoxPro 8.0 SP1, Visual FoxPro 9.0 SP2, and Visual Basic 6.0 Runtime allows remote attackers to execute arbitrary code via a crafted (1) document or (2) web page that triggers system-state corruption, aka "MSCOMCTL.OCX RCE Vulnerability."
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly restricts execution of untrusted mobile code (ActiveX controls in MSCOMCTL.OCX) delivered via documents or web pages.
Requires timely application of vendor patches that remediate the MSCOMCTL.OCX RCE flaw before exploitation.
Enforces least functionality by disabling or restricting unnecessary ActiveX controls and COM components that enable the attack vector.