SCF Advanced Search



  • Total Members: 13736
  • Latest: parasti
  • Total Posts: 38282
  • Total Topics: 12871
  • Online Today: 1341
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)


Author Topic: CVE-2012-0158 Exploit in the Wild (MS12-027)  (Read 2750 times)

0 Members and 1 Guest are viewing this topic.


  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
CVE-2012-0158 Exploit in the Wild (MS12-027)
« on: 24. April 2012., 08:59:57 »

CVE-2012-0158 Exploit in the Wild (MS12-027)

Since last week, we have seen many specially crafted files exploiting CVE-2012-0158, a vulnerability in MSCOMCTL.OCX in Microsoft Office and some other Microsoft products. This exploit can be implemented in a variety of file formats, including RTF, Word, and Excel files. We have already found crafted RTF and Word files in the wild. In the malicious RTF, a vulnerable OLE file is embedded with \object and \objocx tags.

The following image shows an example of a crafted RTF file containing a vulnerable OLE file. You can see the signature of the OLE file in D0CF11E0. …

Larger picture

Malicious RTF file

Upon opening a crafted file with the vulnerable application, as in other document exploit files, we see an innocent file posing as bait, while in the background, the Trojan files are installed. Here are typical malware installation steps triggered by the vulnerable application, Word in this example:

1. The crafted document is opened by a Word process.

2. Exploiting the vulnerability triggers the shellcode in the OLE file.

3. The shellcode installs the Trojan(s) on the victim’s machine. Typically, the Trojan is installed in the following path:

%userProfile%\Local Settings\Temp\(filename).exe

4. The shellcode start a new process of Word and opens as bait an innocent document file embedded in the document. Typically the bait file is dropped at:

%userProfile%\Local Settings\Temp\(filename).doc

5. The shellcode terminates the Word process that opened the crafted document.

Because of steps 4 and 5, users will see Word quit and then immediately relaunch with the bait file. If you see this symptom, check with your system administrator.

These crafted documents typically arrive as email attachments. Users should always exercise caution when opening unsolicited emails. We also strongly recommend installing the latest fix, from April’s Patch Tuesday. (Refer to the Microsoft Bulletin for more information: )

McAfee detects these malicious document files as:

•Exploit-CVE2012-0158: Detection for MS Office files such as MS Word and MS Excel
•Exploit-CVE2012-0158!rtf : RTF files containing vulnerable OLE containers

Orginal article: Monday, April 23, 2012 at 11:56am by Shinsuke Honjo


Vulnerability Summary for CVE-2012-0158  
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing !,8405.msg21475.html#msg21475

Samker's Computer Forum -

CVE-2012-0158 Exploit in the Wild (MS12-027)
« on: 24. April 2012., 08:59:57 »


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising