Between an RTF and OLE2 place: an analysis of CVE-2012-0158 samples

Paul Baccas Independent researcher
Vanja Svajcer Sophos

Over the last few years, Microsoft Office viruses have become a thing of the past and now we generally see Office files as a delivery method for targeted attacks via vulnerabilities. File format features make obfuscating these targeted attacks easy, and detecting them hard.

Targeted attacks like 'Red October' and 'FakeM' relied on three different kinds of Microsoft vulnerabilities. Two of them, CVE-2009-3129 and CVE-2010-3333, posed challenges for detection development and have been discussed previously. However, the third, CVE-2012-0158, is quite different. The exploit itself could be in either a Word or an Excel document, but the delivery method could be a Word, Excel or, more commonly, RTF file. Digging through this complexity requires a strong understanding of RTF and OLE2, as well as all points in between.

This paper will document some pitfalls of the file formats that make detection problematic, with particular attention placed on the small percentage (less than 1%) of CVE-2012-0158 associated with high-profile attacks.

VB2013 takes place 2-4 October 2013 in Berlin, Germany.

The full programme for VB2013, including abstracts for each paper, can be viewed here.

Click here for more details about the conference.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.