Skipped patch from 2012 makes old Microsoft Office systems a favored target

Some organizations have still not implemented an Office patch from 2012. Attackers know this and are exploiting the vulnerability.

A rusty old lock hangs open amid the flow of binary code.
Mikhail Sedov / LagartoFilm / Getty Images

In addition to protecting the desktop, you should also pay close attention to the Office suite--in particular, Microsoft’s Object Linking and Embedding (OLE) platform. OLE allows you to make linked connections between applications and other documents, but it also provides a toehold for attackers to gain access into our systems.

As a recently National Cyber Awareness system document stated: “As of December 2019, Chinese state cyber actors were frequently exploiting the same vulnerability—CVE-2012-0158—that the US government publicly assessed in 2015 was the most used in their cyber operations.” Let that sink in. A vulnerability patched in 2012 was the most used exploit in December 2019. The vulnerability affects Office 2003, 2007 and 2010.

According to a 2016 Sophos white paper, “Code that CVE-2012-0158 exploits is housed within the Microsoft Windows Common Control Library. MSCOMCTL.OCX is a Dynamic Linked Library (DLL) containing common controls such as the Combo Box, and Progress Bar, among others. CVE-2012-0158 is concerned specifically with the ListView and TreeView ActiveX controls.”

The exploit allows the attacker to take control of the entire system. The vulnerability allows malicious code to hide and pivot from detection and change the way it launches the attack. In one variant, the attackers used rich text format (RTF) to hide the payload. As noted in the Sophos whitepaper, “When Microsoft Word saves an RTF file, the hexadecimal representation of any embedded file is written as a continuous stream of ASCII characters, split into equal length lines which are usually 252 characters. Unfortunately, the bad guys soon discovered that Word is far from stringent about enforcing this formation and tampered with the format incessantly in order to confuse AV parsers.”

Skipped patches give attackers opportunity

One issue that allows this exploit to hang around is patch management. IT often skips a patch if it might impact the business and then never reviews if the issue has been resolved or if a workaround can be found. This update has side effects that need a lot of post-patch actions. The administrator has to search the computer for and remove older files to allow Visual Basic for Applications (VBA) to continue to work after installing the patch.

Specifically, administrators must search for and delete files with the .exd extension, which are recreated automatically the next time VBA runs. These extender files are under the user's profile and possibly other locations such as:

C:\documents and settings\username\Application Data\Microsoft\Forms

C:\documents and settings\username\AppData\Local\Temp\VBE

Scan for missing Office updates

If you still have Office 2010 deployed, review your installation base for skipped updates that leave you at risk. Use your favorite patching tool (SCCM, WSUS, etc.) and scan the network looking for missing Office updates. Take a random computer out of the network and do a deep inspection of the files and patches installed.

Especially if you aren’t planning to invest in new systems, review how to best defend yourself on what you have. Look for skipped patches and retest the impact. You may find that you are no longer using the third-party application that influenced the decision not to patch. Keep an eye on the known issues that are reported for newer and older Office platforms. hosts a listserv where patching administrators discuss side effects with patches that have been installed.

You can also download several Office support tools to help diagnose issues. Finally, you can always download ProcMon to analyze what a computer is doing to assist in debugging why something isn’t working in Office.

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)