CVE-2012-0158 Exploit in the Wild

By on

Since last week, we have seen many specially crafted files exploiting CVE-2012-0158, a vulnerability in MSCOMCTL.OCX in Microsoft Office and some other Microsoft products. This exploit can be implemented in a variety of file formats, including RTF, Word, and Excel files. We have already found crafted RTF and Word files in the wild. In the malicious RTF, a vulnerable OLE file is embedded with \object and \objocx tags.

The following image shows an example of a crafted RTF file containing a vulnerable OLE file. You can see the signature of the OLE file in D0CF11E0. …

Malicious RTF file

Upon opening a crafted file with the vulnerable application, as in other document exploit files, we see an innocent file posing as bait, while in the background, the Trojan files are installed. Here are typical malware installation steps triggered by the vulnerable application, Word in this example:

1. The crafted document is opened by a Word process.

2. Exploiting the vulnerability triggers the shellcode in the OLE file.

3. The shellcode installs the Trojan(s) on the victim’s machine. Typically, the Trojan is installed in the following path:

%userProfile%\Local Settings\Temp\(filename).exe

4. The shellcode start a new process of Word and opens as bait an innocent document file embedded in the document. Typically the bait file is dropped at:

%userProfile%\Local Settings\Temp\(filename).doc

5. The shellcode terminates the Word process that opened the crafted document.

Because of steps 4 and 5, users will see Word quit and then immediately relaunch with the bait file. If you see this symptom, check with your system administrator.

These crafted documents typically arrive as email attachments. Users should always exercise caution when opening unsolicited emails. We also strongly recommend installing the latest fix, from April’s Patch Tuesday. (Refer to the Microsoft Bulletin for more information:

McAfee detects these malicious document files as:

  • Exploit-CVE2012-0158: Detection for MS Office files such as MS Word and MS Excel
  • Exploit-CVE2012-0158!rtf : RTF files containing vulnerable OLE containers

Leave a Comment

Similar articles

Each year, internet users lose billions of dollars to online scams, using clever ploys to trick us out of our information and money. By offering prizes, referencing current events, or just creating a sense of urgency, scammers know how to get us to click when we really shouldn’t. Check out these recent scams, so you ...
Read Blog
McAfee’s Mobile Research team recently learned of a new malicious Android application masquerading as a plugin for a transportation application series developed by a South Korean developer. The series provides a range of information for each region of South Korea, such as bus stop locations, bus arrival times and so on. There are a total ...
Read Blog
Am I the only one? When I hear or see the word Artificial Intelligence (AI), my mind instantly defaults to images from sci-fi movies I’ve seen like I, Robot, Matrix, and Ex Machina. There’s always been a futuristic element — and self-imposed distance — between AI and myself. But AI is anything but futuristic or ...
Read Blog