CVE-2012-0158

CVE-2012-0158 is a software vulnerability that was first exploited in 2012, resulting from a flaw in the design or implementation of Microsoft Windows Common Controls ActiveX Control. This vulnerability was primarily leveraged through parsing Rich-text-format (.rtf) files and allowed malicious actors to execute remote code. The vulnerability was later patched, but not before it was used in several notable cyberattacks. One of these attacks occurred in 2013 when Chinese political rights activists were targeted through a spear-phishing attack. The attackers exploited CVE-2012-0158 to drop a benign executable from an Office 2003 Service Pack 2 update, which was then manipulated to load a malicious DLL. This technique has been documented since at least 2013, demonstrating the long-term risks associated with such vulnerabilities. The LOWBALL malware also exploited this vulnerability. In a spear-phishing campaign, three attachments were sent via email, each exploiting CVE-2012-0158. The filenames were "使命公民運動 我們的異象.doc", "新聞稿及公佈.doc", and "(代發)[采訪通知]港大校友關注組遞信行動.doc". In all cases, the payload was the same: a backdoor known as LOWBALL, which uses Dropbox cloud-storage service for its Command-and-Control (CnC) server. These incidents highlight the persistent threat posed by software vulnerabilities, even after they have been identified and patched.