CVE-2012-0158

Name of the Vulnerable Software and Affected Versions Microsoft Office versions 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1 Office 2003 Web Components version SP3 SQL Server versions 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2 BizTalk Server version 2002 SP1 Commerce Server versions 2002 SP4, 2007 SP2, and 2009 Gold and R2 Visual FoxPro versions 8.0 SP1 and 9.0 SP2 Visual Basic 6.0 Runtime

Description The vulnerability is related to errors in code generation management in the MSCOMCTL.OCX component of Microsoft Office, SQL Server, Commerce Server, Visual FoxPro, and Visual Basic 6.0 Runtime. It allows remote attackers to execute arbitrary code via a crafted web site, Office document, or .rtf file that triggers system state corruption. This issue was exploited in the wild in April 2012.

Recommendations For Microsoft Office versions 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1, update to a newer version to mitigate the risk. For Office 2003 Web Components version SP3, update to a newer version to mitigate the risk. For SQL Server versions 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2, update to a newer version to mitigate the risk. For BizTalk Server version 2002 SP1, update to a newer version to mitigate the risk. For Commerce Server versions 2002 SP4, 2007 SP2, and 2009 Gold and R2, update to a newer version to mitigate the risk. For Visual FoxPro versions 8.0 SP1 and 9.0 SP2, update to a newer version to mitigate the risk. For Visual Basic 6.0 Runtime, update to a newer version to mitigate the risk. As a temporary workaround, consider disabling the ListView, ListView2, TreeView, and TreeView2 ActiveX controls in MSCOMCTL.OCX to minimize the risk of exploitation.