www.belgium.be Logo of the federal government

Old Microsoft vulnerability actively exploited

Reference: 
Advisory #2020-013
Version: 
1
Affected software: 
Microsoft Office 2003, 2007, 2010
Microsoft SQL Server 2000, 2005, 2008(R2)
Microsoft BizTalk Server 2002
Microsoft Commerce Server 2002, 2007, 2009(R2)
Microsoft Visual FoxPro 8.0, 9.0
Visual Basic 6.0 Runtime
Type: 
Arbitrary Code Execution, Stack-based Buffer Overflow
CVE/CVSS: 

CVE-2012-0158
CVSSv3 9.3

Sources

https://technet.microsoft.com/en-us/library/security/ms12-027

https://technet.microsoft.com/en-us/library/security/ms12-060

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2012-0158-exploit-in-the-wild/

https://thehackernews.com/2020/04/ransomware-hospitals-coronavirus.html

https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/CVE-2012-0158-An-Anatomy-of-a-Prolific-Exploit.PDF

Risks

The vulnerability allows an attacker to perform arbitrary code execution on the target system.
Successful exploitation of the vulnerability gives the functionality to drop other malware.
Note: this vulnerability was recently seen used with a COVID-19 theme and is still being actively exploited.

Description

The weakness exists due to stack-based buffer overflow in the ListView and TreeView of ActiveX controls in MSCOMCTL.OCX. A remote attacker can create a specially crafted attachment or web page to enable the buffer overflow and perform the arbitrary code execution with the privileges of the current user.
Because of the vulnerability existing from 2012, we see a lot of threat actors are delivering exploit kits to utilize this weakness. It is still a widely used technique to drop malware and even ransomware on systems running these old configurations and software.

For more information about vulnerable configurations please refer to: 

Recommended Actions

CERT.be recommends to install update from vendor's website, and in general keep your Office and Anti-Virus solutions up-to-date.

The advised updates by Microsoft can be found here:

https://technet.microsoft.com/en-us/library/security/ms12-027

https://technet.microsoft.com/en-us/library/security/ms12-060