CVE-2012-1856

What is MSCOMCTL.OCX?

MSCOMCTL.OCX (Microsoft Common Controls) is a Windows library providing ActiveX controls — ListView, TreeView, TabStrip, StatusBar, Toolbar — embedded in Office documents and legacy Windows applications. CVE-2012-1856 is the second major exploited vulnerability in MSCOMCTL.OCX in 2012, following CVE-2012-0158 (which targeted the ListView/TreeView controls in April 2012). Both vulnerabilities arose from the complexity and legacy nature of the MSCOMCTL.OCX codebase, which was shared across Office versions and Windows.

Overview

CVE-2012-1856 is a system-state corruption vulnerability in the TabStrip ActiveX control within MSCOMCTL.OCX. Processing a crafted Office document or web page that embeds a malformed TabStrip control triggers a system-state corruption condition that allows arbitrary code execution in the context of the current user. Microsoft patched this in Security Bulletin MS12-060 on August 14, 2012.

Affected Versions

Technical Details

The TabStrip control in MSCOMCTL.OCX manages tabbed interfaces in Windows applications and Office documents. The vulnerability involves a system-state corruption when the control processes a malformed ActiveX persistence state embedded in a document or loaded from a web page.

The exploit mechanism is similar to CVE-2012-0158: a crafted Office document (typically RTF or DOC) with a specially formed ActiveX control state is opened, Office invokes the MSCOMCTL.OCX TabStrip control to restore the persisted state, and the corruption occurs — redirecting execution to attacker-controlled code.

Exploitation advantages for attackers:

• Like CVE-2012-0158, this exploit works via RTF documents, which do not trigger macro security warnings
• The same MSCOMCTL.OCX exploit delivery infrastructure (crafted document templates, phishing emails) used for CVE-2012-0158 could be adapted for CVE-2012-1856
• Works across all affected Office versions simultaneously

Discovery

The vulnerability was discovered and reported to Microsoft through coordinated disclosure, included in the August 2012 Patch Tuesday release (MS12-060).

Exploitation Context

CISA confirmed in-the-wild exploitation. APT groups that had previously used CVE-2012-0158 (MSCOMCTL.OCX ListView/TreeView) adapted their tooling to use CVE-2012-1856 (TabStrip) after MS12-027 was widely applied. This pattern — exploiting multiple vulnerabilities in the same MSCOMCTL.OCX library as patches are deployed — reflects sophisticated adversary operational security and toolkit diversity.

Remediation

1. Apply MS12-060 on all systems with Office, SQL Server, Commerce Server, or Visual FoxPro
2. Upgrade to Office 2016 or later, which includes updated MSCOMCTL.OCX versions not affected by these legacy vulnerabilities
3. Enable Attack Surface Reduction (ASR) rules in Windows Defender to block Office from creating child processes
4. Enable Office Protected View and disable "Enable editing" prompts via Group Policy for documents from external sources
5. Consider blocking RTF files at the email gateway if RTF is not a business requirement — MSCOMCTL.OCX exploits are predominantly delivered via RTF