Security Experts:

Connect with us

Hi, what are you looking for?



Old Office Flaw Still Exploited in Many Attacks

An Office vulnerability patched by Microsoft more than four years ago continues to be exploited in many attacks where malicious actors attempt to deliver malware using specially crafted documents.

An Office vulnerability patched by Microsoft more than four years ago continues to be exploited in many attacks where malicious actors attempt to deliver malware using specially crafted documents.

The flaw, tracked as CVE-2012-0158 and fixed by Microsoft in April 2012, affects Office 2003, 2007 and 2010. The security hole exists in the Windows Common Control Library and it allows attackers to execute arbitrary code by getting the victim to open a malicious website or document.

According to researchers at Sophos, CVE-2012-0158 was still the most popular Office exploit in the last quarter of 2015, accounting for nearly half of all the attacks observed by the company. While there are several newer exploits increasingly used by malicious actors, none of them compare with CVE-2012-0158, which experts say should be dubbed “the bug that just won’t die.”

Researchers believe this vulnerability is highly popular among threat actors for several reasons, including the fact that it can be exploited using a harmless-looking file format, it affects many versions of Office, it provides powerful capabilities, and it can be adapted to evade detection by security products.

An analysis of a command and control (C&C) server used by Microsoft Word Intruder, a tool that allows attackers to deliver malware via malicious Word files, shows that nearly 40 percent of computers worldwide are vulnerable to CVE-2012-0158 exploits.

However, the percentage of vulnerable devices is just 15 percent in North America and Europe, which is likely why the exploit is rarely leveraged in mass spam campaigns. Instead, attackers are mostly using the exploit in targeted attacks, particularly operations aimed at regions such as Asia, where more than half of computers are still vulnerable.

Over the past years, the vulnerability has been exploited by several threat actors in attacks targeting Asian entities, including Lotus Blossom, Transparent Tribe, Roaming Tiger and other cyber espionage operations.

Exploits for CVE-2012-0158 are also included in several Office exploit generators, such as MNKit and the Four Element Sword builder.

“Realistically, until Office Exploit Kits cut their ties with it, it seems very unlikely that we will see the back of CVE-2012-0158 anytime soon,” said Sophos researchers. “Its continued usage in the wild lends more weight to the theory that it’s still having some success; even though it’s had to change its game from spam campaigns to more concentrated attacks. If there are still vulnerable computers in the world, it seems doubtful that exploit kit authors will discard it.”

Experts believe that the most likely exploits to take the place of CVE-2012-0158 are CVE-2015-1641 and CVE-2015-2545.

Related: Old Drupal Flaw Still Used to Hack Websites

Related: Attackers Still Target Old Flaw Exploited by Stuxnet

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.