CVE-2012-2539
Published: 12 December 2012
Summary
CVE-2012-2539 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Word. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).
Deeper analysis
The vulnerability is an out-of-bounds write (CWE-787) affecting Microsoft Word 2003 SP3, 2007 SP2 and SP3, and 2010 SP1, along with Word Viewer, Office Compatibility Pack SP2 and SP3, and Office Web Apps 2010 SP1. It is triggered when these components process specially crafted RTF data containing an invalid listoverridecount value, resulting in memory corruption.
An attacker can supply a malicious RTF document that a user opens locally or views through Office Web Apps. Successful exploitation grants remote code execution with the privileges of the current user or alternatively causes a denial of service; the CVSS vector indicates the attack requires user interaction but no authentication.
Microsoft security bulletin MS12-079 and the associated US-CERT alert TA12-346A address the issue and direct administrators to apply the vendor-supplied updates for the affected Word and Office components.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2012-2525
Vulnerability details
Microsoft Word 2003 SP3, 2007 SP2 and SP3, and 2010 SP1; Word Viewer; Office Compatibility Pack SP2 and SP3; and Office Web Apps 2010 SP1 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption)…
more
via crafted RTF data, aka "Word RTF 'listoverridecount' Remote Code Execution Vulnerability."
- CWE(s)
- KEV Date Added
- 28 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patches referenced in MS12-079 to eliminate the out-of-bounds write in RTF processing before exploitation can occur.
Malicious-code detection mechanisms can block or alert on RTF documents containing the crafted listoverridecount payload when signatures or behavioral rules are present.
Integrity verification of Office binaries and document-handling components can detect unauthorized modification or substitution that would otherwise allow the memory-corruption exploit to succeed.