Listen to this Post
The vulnerability resides in the way VBE6.dll – a core component of Microsoft Visual Basic for Applications – is loaded by Office applications. When an Office document (e.g., .docx, .xlsx) is opened from a directory, the application attempts to load VBE6.dll using the standard Windows DLL search order. Because the current working directory is searched before system directories like C:\Windows\System32, an attacker can place a malicious, attacker-controlled VBE6.dll in the same folder as the document. When the user opens the document, Office loads this Trojan horse DLL instead of the legitimate one. The malicious DLL runs with the user’s privileges, allowing arbitrary code execution. This is a classic “DLL preloading” or “insecure library loading” flaw. The attack requires local access or a remote share where the attacker can plant both the document and the rogue DLL. The user must navigate to that directory and open the file. In July 2012, this was exploited in the wild, typically via email attachments or network shares. The vulnerability affects Office 2003 SP3, 2007 SP2/SP3, 2010 Gold/SP1, plus standalone VBA and Summit VBA SDK. Microsoft addressed it by modifying the search order for VBE6.dll, ensuring system directories are prioritized. The CVE is also referenced in MS12-046.
Platform: Microsoft Office VBA
Version: 2003 2007 2010
Vulnerability: Insecure Library Loading
Severity: Critical
date: July 2012
Prediction: July 10 2012
What Undercode Say:
Analytics:
Check if Office version is vulnerable (example for Office 2010)
reg query "HKLM\Software\Microsoft\Office\14.0\Common" /v Version
Simulate vulnerable DLL load order
echo "Monitor process creation:"
sysmon -accepteula -i
sysmon -s | findstr "VBE6.dll"
Detect potential exploitation attempts in real time
powershell -Command "Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=7} | Where-Object {$_.Message -like 'VBE6.dll'}"
Exploit:
Place a malicious VBE6.dll in same folder as a benign .docx. When victim double-clicks the .docx, Office loads the rogue DLL, executing payload (e.g., reverse shell) at user privilege level.
Protection from this CVE:
Apply MS12-046 patch. Set environment variable CWDIllegalInDllSearch to 0x200 (disable current directory in search order). Use Safe DLL Search Mode (EnableSafeDllSearchMode=1). Block execution of Office from untrusted network shares.
Impact:
Local privilege escalation; arbitrary code execution as logged-on user. Full control over victim’s data, system settings, and network access. Can lead to persistent backdoor installation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

