CVE-2012-1875
published 2012-06-12CVE-2012-1875: Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted…
PriorityP274critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
61.66%
99.1th percentile
Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "Same ID Property Remote Code Execution Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
SID 23125
- →CVE-2012-1875 exploits target IE8 specifically via DOM manipulation of objects with the same ID property; detection should focus on IE8 user-agent strings combined with suspicious heap spray JavaScript patterns. ↗
- →The Metasploit module for CVE-2012-1875 targets IE 8 on Windows XP SP3 and Windows 7 SP1; network detection should key on HTML responses containing heap spray JavaScript delivered to MSIE 8.0 user agents. ↗
- →The exploit uses ROP chains from msvcrt.dll and msvcr71.dll (JRE); process migration via 'migrate -f' is the default post-exploitation action, which may be visible in process telemetry. ↗
- →CVE-2012-1875 was exploited by both Hidden Lynx (VOHO campaign) and the Elderwood Gang (Operation Aurora); detections should be correlated with C2 IPs 58.64.143.244, 66.153.86.14, and 111.68.9.93. ↗
- →The crash signature for CVE-2012-1875 shows an access violation in mshtml.dll at DllGetClassObject+0xafd09 with eax=1c1c1c0c, indicative of a use-after-free on a heap-sprayed address; memory forensics should look for this pattern. ↗
- ·The Metasploit module supports an optional OBFUSCATE flag that enables JavaScript obfuscation and randomizes function/variable names (trigger, feng_shui, crash, do_unescape, main, MyA, imgTest), which will defeat static string-based signatures. ↗
- ·Snort SID 23125 coverage was verified against all known exploits in the wild at time of writing but requires continuous review as new exploit variants are released. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m5pq-9mp5-8ff4: Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a delet
ghsa_unreviewed·2022-05-13
CVE-2012-1875 [HIGH] CWE-94 GHSA-m5pq-9mp5-8ff4: Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a delet
Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "Same ID Property Remote Code Execution Vulnerability."
VulnCheck
Microsoft Internet Explorer Improper Control of Generation of Code ('Code Injection')
vulncheck·2012·CVSS 9.3
CVE-2012-1875 [CRITICAL] Microsoft Internet Explorer Improper Control of Generation of Code ('Code Injection')
Microsoft Internet Explorer Improper Control of Generation of Code ('Code Injection')
Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "Same ID Property Remote Code Execution Vulnerability."
Affected: Microsoft Internet Explorer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: http://www.cs.cornell.edu/courses/cs6410/2012fa/slides/Symantec_ElderwoodProject_2012.pdf; https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf; https://www.recordedfuture.com/hidden-lynx-analysis/; https://dl.acm.org/doi/pdf/10.1145/34654
No detection rules found.
Exploit-DB
Microsoft Internet Explorer - Same ID Property Deleted Object Handling Memory Corruption (MS12-037) (Metasploit)
exploitdb·2012-06-14
CVE-2012-1875 Microsoft Internet Explorer - Same ID Property Deleted Object Handling Memory Corruption (MS12-037) (Metasploit)
Microsoft Internet Explorer - Same ID Property Deleted Object Handling Memory Corruption (MS12-037) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 "MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption",
'Description' => %q{
This module exploits a memory corruption flaw in Internet Explorer 8 when
handling objects with the same ID property. At the moment this module targets
IE8 over Windows XP SP3 through the heap massaging plus heap spray as exploited
in the wild.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Dark So
Metasploit
MS12-037 Microsoft Internet Explorer Same ID Property Deleted Object Handling Memory Corruption
metasploit
MS12-037 Microsoft Internet Explorer Same ID Property Deleted Object Handling Memory Corruption
MS12-037 Microsoft Internet Explorer Same ID Property Deleted Object Handling Memory Corruption
This module exploits a memory corruption flaw in Internet Explorer 8 when handling objects with the same ID property. At the moment this module targets IE8 over Windows XP SP3 and Windows 7. This module supports heap massaging as well as the heap spray method seen in the wild (Java msvcrt71.dll).
Krebs
In a Zero-Day World, It’s Active Attacks that Matter – Krebs on Security
blogs_krebs·2012-10-01
In a Zero-Day World, It’s Active Attacks that Matter – Krebs on Security
The recent zero-day vulnerability in Internet Explorer caused many (present company included) to urge Internet users to consider surfing the Web with a different browser until Microsoft issued a patch. Microsoft did so last month, but not before experts who ought to have known better began downplaying such advice, pointing out that other browser makers have more vulnerabilities and just as much exposure to zero-day flaws.
This post examines hard data that shows why such reasoning is more emotional than factual. Unlike Google Chrome and Mozilla Firefox users, IE users were exposed to active attacks against unpatched, critical vulnerabilities for months at a time over the past year and a half.
Attackers exploited zero-day holes in Internet Explorer for at least 89 days over the past 19 mon
Krebs
In a Zero-Day World, It’s Active Attacks that Matter
blogs_krebs·2012-10-01
In a Zero-Day World, It’s Active Attacks that Matter
The recent zero-day vulnerability in Internet Explorer caused many (present company included) to urge Internet users to consider surfing the Web with a different browser until Microsoft issued a patch. Microsoft did so last month, but not before experts who ought to have known better began downplaying such advice, pointing out that other browser makers have more vulnerabilities and just as much exposure to zero-day flaws.
This post examines hard data that shows why such reasoning is more emotional than factual. Unlike Google Chrome and Mozilla Firefox users, IE users were exposed to active attacks against unpatched, critical vulnerabilities for months at a time over the past year and a half.
Attackers exploited zero-day holes in Internet Explorer for at least 89 days over the past 19 mon
Talos
Microsoft In-The-Wild Coverage - CVE-2012-1889 and CVE-2012-1875
blogs_talos·2012-06-21·CVSS 9.3
[CRITICAL] Microsoft In-The-Wild Coverage - CVE-2012-1889 and CVE-2012-1875
As a security professional, there's very little I hate more than Microsoft vulnerabilities announced after patches are sent out each Microsoft Tuesday. Not only do they mean that folks like me have to scramble to address them - since invariably bugs released outside the standard patch cycle come with live exploits - they typically grant the largest possible exploitation window to an attacker. If your job is to keep systems secure, a potentially month-long window between exploit code release and patch release is a nightmare.
This month brought that exact scenario, with the public release of CVE-2012-1889 mere hours after the release of the month's patches. The vulnerability has been actively exploited in the wild for some time before this public release; Google has been issuing warnings to
Talos
Microsoft In-The-Wild Coverage - CVE-2012-1889 and CVE-2012-1875
blogs_talos·2012-06-21·CVSS 9.3
CVE-2012-1889 [CRITICAL] Microsoft In-The-Wild Coverage - CVE-2012-1889 and CVE-2012-1875
## Microsoft In-The-Wild Coverage - CVE-2012-1889 and CVE-2012-1875
As a security professional, there's very little I hate more than Microsoft vulnerabilities announced after patches are sent out each Microsoft Tuesday. Not only do they mean that folks like me have to scramble to address them - since invariably bugs released outside the standard patch cycle come with live exploits - they typically grant the largest possible exploitation window to an attacker. If your job is to keep systems secure, a potentially month-long window between exploit code release and patch release is a nightmare.
This month brought that exact scenario, with the public release of CVE-2012-1889 mere hours after the release of the month's patches. The vulnerability has been actively exploited in the wild for some
Recorded Future
Uncovering Hidden Lynx: Using OSINT for APT Analysis
blogs_recorded_future
Uncovering Hidden Lynx: Using OSINT for APT Analysis
# Hunting Hidden Lynx: How OSINT is Crucial for APT Analysis
### Analysis Summary
- Visualization of open source intelligence on APTs reveals overlapping infrastructure, tools, and exploits used in the VOHO campaign and Operations Aurora, DeputyDog, and Ephemeral Hydra.
- Two vulnerabilities were identified as exploited by Hidden Lynx in its VOHO campaign (2012) and the Elderwood Gang responsible for Operation Aurora (2010). Command and control infrastructure was also shared between Hidden Lynx and threat actors responsible for two campaigns during 2013: Operation DeputyDog and Operation Ephemeral Hydra.
- Threat intelligence derived from disparate open web sources bolsters security efforts by identifying and contextualizing links between threat actors.
When the_New York Times_ and Mand
Zscaler
Zscaler Protects against Microsoft's Patch Cycle | Round 8
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler Protects against Microsoft's Patch Cycle | Round 8
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Recorded Future
Uncovering Hidden Lynx: Using OSINT for APT Analysis | Recorded Future
blogs_recorded_future
Uncovering Hidden Lynx: Using OSINT for APT Analysis | Recorded Future
## Hunting Hidden Lynx: How OSINT is Crucial for APT Analysis
## Analysis Summary
Visualization of open source intelligence on APTs reveals overlapping infrastructure, tools, and exploits used in the VOHO campaign and Operations Aurora, DeputyDog, and Ephemeral Hydra.
Two vulnerabilities were identified as exploited by Hidden Lynx in its VOHO campaign (2012) and the Elderwood Gang responsible for Operation Aurora (2010). Command and control infrastructure was also shared between Hidden Lynx and threat actors responsible for two campaigns during 2013: Operation DeputyDog and Operation Ephemeral Hydra.
Threat intelligence derived from disparate open web sources bolsters security efforts by identifying and contextualizing links between threat actors.
When the_New York Times_ and Mandiant
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
http://www.us-cert.gov/cas/techalerts/TA12-164A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-037https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15663http://www.us-cert.gov/cas/techalerts/TA12-164A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-037https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15663
2012-06-12
Published
Exploited in the wild