Connect with us

Hi, what are you looking for?



Old Office Flaw Still Exploited in Many Attacks

An Office vulnerability patched by Microsoft more than four years ago continues to be exploited in many attacks where malicious actors attempt to deliver malware using specially crafted documents.

An Office vulnerability patched by Microsoft more than four years ago continues to be exploited in many attacks where malicious actors attempt to deliver malware using specially crafted documents.

The flaw, tracked as CVE-2012-0158 and fixed by Microsoft in April 2012, affects Office 2003, 2007 and 2010. The security hole exists in the Windows Common Control Library and it allows attackers to execute arbitrary code by getting the victim to open a malicious website or document.

According to researchers at Sophos, CVE-2012-0158 was still the most popular Office exploit in the last quarter of 2015, accounting for nearly half of all the attacks observed by the company. While there are several newer exploits increasingly used by malicious actors, none of them compare with CVE-2012-0158, which experts say should be dubbed “the bug that just won’t die.”

Researchers believe this vulnerability is highly popular among threat actors for several reasons, including the fact that it can be exploited using a harmless-looking file format, it affects many versions of Office, it provides powerful capabilities, and it can be adapted to evade detection by security products.

An analysis of a command and control (C&C) server used by Microsoft Word Intruder, a tool that allows attackers to deliver malware via malicious Word files, shows that nearly 40 percent of computers worldwide are vulnerable to CVE-2012-0158 exploits.

However, the percentage of vulnerable devices is just 15 percent in North America and Europe, which is likely why the exploit is rarely leveraged in mass spam campaigns. Instead, attackers are mostly using the exploit in targeted attacks, particularly operations aimed at regions such as Asia, where more than half of computers are still vulnerable.

Over the past years, the vulnerability has been exploited by several threat actors in attacks targeting Asian entities, including Lotus Blossom, Transparent Tribe, Roaming Tiger and other cyber espionage operations.

Exploits for CVE-2012-0158 are also included in several Office exploit generators, such as MNKit and the Four Element Sword builder.

Advertisement. Scroll to continue reading.

“Realistically, until Office Exploit Kits cut their ties with it, it seems very unlikely that we will see the back of CVE-2012-0158 anytime soon,” said Sophos researchers. “Its continued usage in the wild lends more weight to the theory that it’s still having some success; even though it’s had to change its game from spam campaigns to more concentrated attacks. If there are still vulnerable computers in the world, it seems doubtful that exploit kit authors will discard it.”

Experts believe that the most likely exploits to take the place of CVE-2012-0158 are CVE-2015-1641 and CVE-2015-2545.

Related: Old Drupal Flaw Still Used to Hack Websites

Related: Attackers Still Target Old Flaw Exploited by Stuxnet

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.