Anatomy of an exploit – the Microsoft Word bug that just won’t die

A guest post by Graham Chantry of SophosLabs, the author of the paper that’s referred to here.
Graham is an entertaining and well-informed writer, so we recommend it!

If you’re a regular reader, you’re probably familiar with our technical papers on the topics of exploit kits and malware attacks that rely on booby-trapped Word documents.

One recurring theme in all these papers is a Microsoft Office vulnerability known rather uncatchily as CVE-2012-0158.

If we had to choose a catchy name, we’d dub it “The bug that just won’t die.”

CVE-2012-0158, which was disclosed and patched by Microsoft (MS12-027) all the way back in 2012, has proved perennially popular amongst cybercriminals, regularly topping the charts as the most-exploited document vulnerability.

In May 2016, we published a summary of our exploit statistics for the last quarter of 2015, and the CVE-2012-0158 still topped the list, making up a whopping 48% of all recorded Word-based exploit attacks.

It’s not unheard of for the crooks to favour a specific vulnerability, but it is unusual for them to do so for so long.

Patching a vulnerability normally signals the beginning of the end of its usefulness to the crooks: the more people who apply the patch, the weaker the vulnerability becomes.

Given that April 2016 marked the fourth anniversary of Microsoft patching CVE-2012-0158, it’s astonishing that cybercriminals are still able to exploit it.

Surely we’ve patched by now?

Surely most of us have updated Office at least once in the last four years?

It’s not as though there’s been a shortage of potential candidates to replace CVE-2012-0158.

Microsoft published patches for about 20 to 30 vulnerabilities every second Tuesday of the month, and many of these vulnerabilities have ready-made exploits available online.

For example, the vulnerabilities known as CVE-2013-3906, CVE-2014-1761 and CVE-2015-1641 have all been used in the wild over the past three years, but their popularity with the crooks soon faded.

All of this raises the question, “What’s so special about CVE-2012-0158?”

A fascinating journey

Here at SophosLabs we’ve been keeping an eye on CVE-2012-0158 since it was first disclosed, so we’ve published a research paper entitled CVE-2012-0158: Anatomy of a Prolific Exploit.

In the paper, we follow the fascinating twists and turns that the CVE-2012-0158 journey has taken.

We explain all aspects of the CVE-2012-0158 vulnerability, from how it actually works right through to what the future holds for it.

We dive into the mindset of the attackers to assess exactly why this vulnerability has been such a durable weapon, and we dissect the various file formats that the crooks have used to exploit it.

Join us and learn why CVE-2012-0158 has been the Word bug that just won’t die…

…and, more importantly, what we can do collectively to kill it at last.

What to do?

To keep safe against malicious Office documents, and many other threats as well:

  • Patch early, patch often. The reason should be obvious: if you don’t, the crooks have a reliable way to attack and infiltrate your computer.
  • Keep your security software up to date. A good anti-virus can block document attacks at many points, including getting rid of dangerous email attachments before you open them, filtering out booby-trapped web sites so you can’t reach them, and blocking booby-trapped files so you can’t launch them.
  • Beware of unsolicited attachments. This can be hard when your job requires you to work through emails from outside the company, but avoid opening just any old document because the email insists that you do.
  • Consider using a stripped-down document viewer. Microsoft’s own Word Viewer, for example, is usually much less vulnerable than Word itself. Also, it doesn’t support macros, another Word-based malware trick commonly used by ransomware.


(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)