Vulnerability Description
The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability."
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microsoft | Office | 2003 |
| Microsoft | Office Web Components | 2003 |
| Microsoft | Sql Server 2000 | - |
| Microsoft | Sql Server 2005 | - |
| Microsoft | Sql Server 2008 | - |
| Microsoft | Biztalk Server | 2002 |
| Microsoft | Commerce Server | 2002 |
| Microsoft | Commerce Server 2009 | - |
| Microsoft | Visual Basic | 6.0 |
| Microsoft | Visual Foxpro | 8.0 |
Related Weaknesses (CWE)
References
- http://opensources.info/comment-on-the-curious-case-of-a-cve-2012-0158-exploit-bBroken Link
- http://www.securityfocus.com/bid/52911Broken LinkThird Party AdvisoryVDB Entry
- http://www.securitytracker.com/id?1026899Broken LinkThird Party AdvisoryVDB Entry
- http://www.securitytracker.com/id?1026900Broken LinkThird Party AdvisoryVDB Entry
- http://www.securitytracker.com/id?1026902Broken LinkThird Party AdvisoryVDB Entry
- http://www.securitytracker.com/id?1026903Broken LinkThird Party AdvisoryVDB Entry
- http://www.securitytracker.com/id?1026904Broken LinkThird Party AdvisoryVDB Entry
- http://www.securitytracker.com/id?1026905Broken LinkThird Party AdvisoryVDB Entry
- http://www.us-cert.gov/cas/techalerts/TA12-101A.htmlThird Party AdvisoryUS Government Resource
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-02PatchVendor Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/74372Third Party AdvisoryVDB Entry
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Broken Link
- http://opensources.info/comment-on-the-curious-case-of-a-cve-2012-0158-exploit-bBroken Link
- http://www.securityfocus.com/bid/52911Broken LinkThird Party AdvisoryVDB Entry
- http://www.securitytracker.com/id?1026899Broken LinkThird Party AdvisoryVDB Entry
FAQ
What is CVE-2012-0158?
CVE-2012-0158 is a vulnerability with a CVSS score of 8.8 (HIGH). The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2...
How severe is CVE-2012-0158?
CVE-2012-0158 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-0158?
Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Office, Microsoft Office Web Components, Microsoft Sql Server 2000, Microsoft Sql Server 2005, Microsoft Sql Server 2008.