CVE-2012-0158

What is MSCOMCTL.OCX?

MSCOMCTL.OCX (Microsoft Common Controls) is a Windows library that provides ActiveX controls — ListView, TreeView, TabStrip, StatusBar, Toolbar — used extensively in Microsoft Office documents and legacy Windows applications. These controls can be embedded in Word, Excel, and other Office documents to create interactive UI elements. Because MSCOMCTL.OCX is present on virtually every Windows system with Office installed, vulnerabilities in it represent an enormous attack surface: a malicious document exploiting MSCOMCTL.OCX can be opened on any target machine that has Office.

Overview

CVE-2012-0158 is a stack buffer overflow in the ListView and TreeView ActiveX controls within MSCOMCTL.OCX. Processing a crafted Office document or web page that contains a malformed ActiveX control state triggers the overflow and allows arbitrary code execution in the context of the user. This vulnerability became arguably the most widely exploited Office vulnerability in history — used by dozens of nation-state APT groups and criminal actors for years after the patch was released.

Microsoft patched this in Security Bulletin MS12-027 on April 10, 2012.

Affected Versions

Technical Details

The overflow occurs in the code that processes the serialized state of ListView and TreeView ActiveX controls when loading a document. A specially crafted document (RTF, DOC, XLS) with a malformed control state overflows a fixed-size stack buffer in MSCOMCTL.OCX, overwriting the saved return address and redirecting execution to attacker-controlled code.

Why this became so enduring an exploit:

• RTF files embedding the exploit do not execute any macros, bypassing macro security warnings
• The exploit worked across all Office versions simultaneously
• Many organizations delayed patching Office compared to Windows, creating a years-long window of vulnerable systems
• The exploit is highly reliable and well-documented, making it easy for attackers to adapt

Discovery

The vulnerability was initially discovered through analysis of RTF documents found in targeted attacks against Tibetan and Uyghur activists in early 2012. FireEye and other security researchers analyzed the exploit and reported it to Microsoft, leading to the MS12-027 patch.

Exploitation Context

CVE-2012-0158 became the definitive example of a "long-tail" Office exploit. While patched in April 2012, it was still observed in active campaigns years later:

• APT1 (Comment Crew, China): Included in their phishing toolkit documented in Mandiant's landmark 2013 report
• APT28 (Fancy Bear, Russia): Used in spear-phishing against government and military targets
• Dark Hotel: Used against hotel Wi-Fi targets
• Lazarus Group (North Korea): Incorporated into financially-motivated campaigns
• Criminal actors: Incorporated into crimeware kits for broad distribution

The exploit was typically delivered via spear-phishing emails containing RTF or DOC files. Successful exploitation gave attackers full code execution in the Office process context — enough to drop and execute secondary malware.

Remediation

1. Apply MS12-027 on all systems with Office, Commerce Server, or Visual FoxPro
2. Upgrade to Office 2016 or later, which ships with MSCOMCTL.OCX updates bundled
3. Enable Office Protected View and Attack Surface Reduction rules to prevent Office from spawning child processes
4. Block RTF files at the email gateway if RTF is not a business requirement — the exploit was most commonly delivered via RTF
5. Deploy endpoint detection rules to flag MSCOMCTL.OCX spawning processes like cmd.exe, powershell.exe, or wscript.exe