CVE-ZOMBIE: the Word vulnerability that refuses to die

CVE-2012-0158 allocated in 2011, patched in 2012, still being actively exploited in 2016: the question is why?

Not only is this particular MS Word vulnerability far from dead, it remains one of the most actively exploited vulnerabilities across the Word family.
Not only is this particular MS Word vulnerability far from dead, it remains one of the most actively exploited vulnerabilities across the Word family.

If a vulnerability was allocated a CVE number in 2011, and a patch released in 2012, you'd expect it to be long dead. So why is CVE-2012-0158 not only still alive, but still eating virtual brains?

In his research paper 'Anatomy of a prolific exploit' Sophos researcher Graham Chantry states "Whether you're an experienced threat researcher, a keen security blog reader or you've simply received a malicious Office document attachment; you'll have likely come across the CVE-2012-0158 vulnerability in some form." And he's not wrong.

Not only is this particular MS Word vulnerability far from dead, it remains one of the most actively exploited vulnerabilities across the Word family.

Which begs the question, what has gone so right for the bad guys and what's so special about CVE-2012-0158 for it to have become such a successful zombie?

"There are two attractive features of the family of exploits built on CVE-2012-0158" says Tod Beardsley, senior security research manager at Rapid7.  First, the potential for obfuscating exploits embedded in Rich Text Format (RTF) files is enormous, thanks to the loose file formats supported by RTF and OLE which are tolerant of random whitespace and other junk.

"This means that even if inline defences are capable of parsing RTF and OLE, unless they're running a fully functional Office emulator, they won't detect every possible variation" Beardsley explains.

Secondly, it doesn't cost the attacker anything to try to exploit this vulnerability along with other, more recent ones, since a failed exploit attempt doesn't prevent other exploits from running, and the attacker isn't constrained significantly by file size or other considerations.

"The exploit and obfuscation techniques are old enough to be quite well-known and widespread" Beardsley concludes "so if an attacker is in a position to throw two exploits at a target, there's no reason not to throw three, or ten, or a hundred."

Which leads us to have to ask then, what has gone so wrong by way of the security industry response? Could more have been done by vendors to kill it, or does the 'blame' sit with the end user?

Simon Crosby, CTO and co-founder at Bromium doesn't think that the end user should be blamed, but then nor can legacy security vendors he told SCMagazineUK.com. "An attack embedded in a document can be quickly varied - faster than AV vendors can generate signatures.  What's needed is an approach that isolates all untrusted documents while giving the user an unchanged user experience."

Or the end user could just have patched Word sometime in the last four years.

But is it really that easy? Jeremiah Grossman, chief of security strategy at SentinelOne, doesn't think so. "Patching comprehensivenes and timeliness, for enterprises and consumers alike, is an enormous and longstanding problem that affects the entire information security industry" he says.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS