9.3

CVE-2012-0158

Warning

The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability."

Data is provided by the National Vulnerability Database (NVD)
MicrosoftOffice Version2003 Updatesp3
MicrosoftOffice Version2007 Updatesp2
MicrosoftOffice Version2007 Updatesp3
MicrosoftOffice Version2010 HwPlatformx86
MicrosoftOffice Version2010 Updatesp1 HwPlatformx86
MicrosoftOffice Web Components Version2003 Updatesp3
MicrosoftSql Server 2000 Version- Updatesp4
MicrosoftSql Server 2005 Version- Updatesp4
MicrosoftSql Server 2008 Version- Updatesp2
MicrosoftSql Server 2008 Version- Updatesp3
MicrosoftSql Server 2008 Versionr2 Update-
MicrosoftSql Server 2008 Versionr2 Updatesp1
MicrosoftBiztalk Server Version2002 Updatesp1
MicrosoftCommerce Server Version2002 Updatesp4
MicrosoftCommerce Server Version2007 Updatesp2
MicrosoftVisual Basic Version6.0
MicrosoftVisual Foxpro Version8.0 Updatesp1
MicrosoftVisual Foxpro Version9.0 Updatesp2

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability

Vulnerability

Microsoft MSCOMCTL.OCX contains an unspecified vulnerability that allows for remote code execution, allowing an attacker to take complete control of an affected system under the context of the current user.

Description

Apply updates per vendor instructions.

Required actions
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 94.31% 0.999
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 9.3 8.6 10
AV:N/AC:M/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

http://www.us-cert.gov/cas/techalerts/TA12-101A.html
Third Party Advisory
US Government Resource
http://www.securityfocus.com/bid/52911
Third Party Advisory
Broken Link
VDB Entry
http://www.securitytracker.com/id?1026899
Third Party Advisory
Broken Link
VDB Entry
http://www.securitytracker.com/id?1026900
Third Party Advisory
Broken Link
VDB Entry
http://www.securitytracker.com/id?1026902
Third Party Advisory
Broken Link
VDB Entry
http://www.securitytracker.com/id?1026903
Third Party Advisory
Broken Link
VDB Entry
http://www.securitytracker.com/id?1026904
Third Party Advisory
Broken Link
VDB Entry
http://www.securitytracker.com/id?1026905
Third Party Advisory
Broken Link
VDB Entry