Old Microsoft vulnerability actively exploited
CVE-2012-0158
CVSSv3 9.3
Sources
https://technet.microsoft.com/en-us/library/security/ms12-027
https://technet.microsoft.com/en-us/library/security/ms12-060
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2012-0158-exploit-in-the-wild/
https://thehackernews.com/2020/04/ransomware-hospitals-coronavirus.html
Risks
The vulnerability allows an attacker to perform arbitrary code execution on the target system.
Successful exploitation of the vulnerability gives the functionality to drop other malware.
Note: this vulnerability was recently seen used with a COVID-19 theme and is still being actively exploited.
Description
The weakness exists due to stack-based buffer overflow in the ListView and TreeView of ActiveX controls in MSCOMCTL.OCX. A remote attacker can create a specially crafted attachment or web page to enable the buffer overflow and perform the arbitrary code execution with the privileges of the current user.
Because of the vulnerability existing from 2012, we see a lot of threat actors are delivering exploit kits to utilize this weakness. It is still a widely used technique to drop malware and even ransomware on systems running these old configurations and software.
For more information about vulnerable configurations please refer to:
Recommended Actions
CERT.be recommends to install update from vendor's website, and in general keep your Office and Anti-Virus solutions up-to-date.
The advised updates by Microsoft can be found here:
https://technet.microsoft.com/en-us/library/security/ms12-027
https://technet.microsoft.com/en-us/library/security/ms12-060