Old Office Flaw Still Exploited in Many Attacks

An Office vulnerability patched by Microsoft more than four years ago continues to be exploited in many attacks where malicious actors attempt to deliver malware using specially crafted documents.

The flaw, tracked as CVE-2012-0158 and fixed by Microsoft in April 2012, affects Office 2003, 2007 and 2010. The security hole exists in the Windows Common Control Library and it allows attackers to execute arbitrary code by getting the victim to open a malicious website or document.

According to researchers at Sophos, CVE-2012-0158 was still the most popular Office exploit in the last quarter of 2015, accounting for nearly half of all the attacks observed by the company. While there are several newer exploits increasingly used by malicious actors, none of them compare with CVE-2012-0158, which experts say should be dubbed “the bug that just won’t die.”

Researchers believe this vulnerability is highly popular among threat actors for several reasons, including the fact that it can be exploited using a harmless-looking file format, it affects many versions of Office, it provides powerful capabilities, and it can be adapted to evade detection by security products.

An analysis of a command and control (C&C) server used by Microsoft Word Intruder, a tool that allows attackers to deliver malware via malicious Word files, shows that nearly 40 percent of computers worldwide are vulnerable to CVE-2012-0158 exploits.

However, the percentage of vulnerable devices is just 15 percent in North America and Europe, which is likely why the exploit is rarely leveraged in mass spam campaigns. Instead, attackers are mostly using the exploit in targeted attacks, particularly operations aimed at regions such as Asia, where more than half of computers are still vulnerable.

Over the past years, the vulnerability has been exploited by several threat actors in attacks targeting Asian entities, including Lotus Blossom, Transparent Tribe, Roaming Tiger and other cyber espionage operations.

Exploits for CVE-2012-0158 are also included in several Office exploit generators, such as MNKit and the Four Element Sword builder.

“Realistically, until Office Exploit Kits cut their ties with it, it seems very unlikely that we will see the back of CVE-2012-0158 anytime soon,” said Sophos researchers. “Its continued usage in the wild lends more weight to the theory that it’s still having some success; even though it’s had to change its game from spam campaigns to more concentrated attacks. If there are still vulnerable computers in the world, it seems doubtful that exploit kit authors will discard it.”

Experts believe that the most likely exploits to take the place of CVE-2012-0158 are CVE-2015-1641 and CVE-2015-2545.

Related: Old Drupal Flaw Still Used to Hack Websites

Related: Attackers Still Target Old Flaw Exploited by Stuxnet