2012 RCE bug is still highly exploited in targeted attacks, Trend Micro finds

Share this article:
Study indicates that SQL injection continues to be a pervasive threat
A 2012 RCE flaw is the most commonly exploited bug related to targeted attacks in the second half of 2013, according to Trend Micro.

A remote code execution vulnerability disclosed sometime around April 2012 was named by Trend Micro to be the most commonly exploited vulnerability related to targeted attacks in the second half of 2013 – despite being issued a patch more than two years ago.

The vulnerability – CVE-2012-0158 – impacts Windows common controls, Christopher Budd, threat communications manager for Trend Micro, told SCMagazine.com in a Friday email correspondence. He said it affects a very broad range of products, but most notably Office.

“This vulnerability is broadly exploited in targeted attacks because it enables the execution of code through malformed Office documents, which are a proven attack vector through email attachments,” Budd said.

The flaw was exploited in 76 percent of targeted attacks in the back half of 2013, according to a Tuesday post by Maersk Menrige, a threats analyst with Trend Micro. The runner-up, CVE-2010-3333, a stack-based buffer overflow vulnerability in versions of Office, was exploited in only 10 percent of targeted attacks.

“Combined with the fact that people don't patch older vulnerabilities, [CVE-2012-0158 is a] reliable vulnerability to target, as shown by [it] being the number one vulnerability for targeted attacks,” Budd said.

Researchers with Trend Micro most recently saw the vulnerability being exploited in a targeted phishing attack using emails with the subject, “BREAKING: Plane Crash in Laos Kills Top Government Officials,” according to the post. Budd did not respond to a question asking who was being targeted.

“The email attachments comprised of two legitimate JPG files and an archive file, which in some cases contain TROJ_MDROP.TRX,” Menrige wrote. “Once [the CVE-2012-0158 vulnerability is] exploited, it drops a backdoor detected as a BKDR_FARFLI variant.”

The backdoor executes commands to steal information, including processor and system architecture information, computer names and usernames, network information and proxy settings, Menrige wrote, adding it also communicates with a command-and-control server located in Hong Kong.

Share this article:

Sign up to our newsletters

More in News

Firefox 32 feature could cut undetected malware downloads 'in half'

Mozilla plans to introduce a feature in Firefox 32 that, based on preliminary testing, could cut the amount of undetected malware downloads in half.

EFF asks court to find NSA internet spying a violation of Fourth Amendment

EFF asks court to find NSA internet spying ...

Complete with a colorful graphic, the EFF showed a federal court how the NSA essentially runs a digital dragnet that can pick up innocent Americans.

Study: Asian Android users at higher risk of malware exposure

Cheetah Mobile's new study showed that Asian Android users have a two to three times greater risk of downloading malware onto their devices.