CVE-2012-4969
Published: 18 September 2012
Summary
CVE-2012-4969 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).
Deeper analysis
The vulnerability CVE-2012-4969 is a use-after-free condition in the CMshtmlEd::Exec function of mshtml.dll, affecting Microsoft Internet Explorer 6 through 9 and tracked under CWE-416 with a CVSS 3.1 score of 8.1.
Remote attackers can exploit the flaw by serving a crafted web page to victims, resulting in arbitrary code execution with no authentication or user interaction beyond visiting the site. The vulnerability was observed being exploited in the wild in September 2012.
Microsoft published security advisory 2757760 to address the issue, while additional technical details and indicators appear in the referenced CERT vulnerability note. Public exploit code, including a Metasploit module, was made available shortly after disclosure, confirming active in-the-wild usage.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2012-4893
Vulnerability details
Use-after-free vulnerability in the CMshtmlEd::Exec function in mshtml.dll in Microsoft Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code via a crafted web site, as exploited in the wild in September 2012.
- CWE(s)
- KEV Date Added
- 08 June 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the Microsoft security update that eliminates the use-after-free flaw in mshtml.dll.
Enforces malicious-code detection and blocking mechanisms that can identify and stop exploit payloads delivered via crafted web pages before code execution occurs.
Restricts acceptance and execution of mobile code (scripts, active content) from untrusted Internet sources that trigger the CMshtmlEd::Exec vulnerability.