CVE-2012-1854 | Microsoft Office - VBE6.dll Operational Intel

Executive Risk Summary

"A vulnerability in VBE6.dll allows local users to gain privileges via a Trojan horse DLL in the current working directory. This vulnerability affects Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1, as well as Microsoft Visual Basic for Applications (VBA) and Summit Microsoft Visual Basic for Applications SDK."

Anticipated Attack Path

1. An attacker creates a malicious DLL with the same name as a legitimate DLL required by VBE6.dll
2. The attacker places the malicious DLL in the current working directory
3. VBE6.dll loads the malicious DLL, allowing the attacker to execute system commands

Am I Vulnerable?

Verify that the system is running a vulnerable version of Microsoft Office or VBA
Check for the presence of suspicious DLL files in the current working directory
Monitor system logs for signs of malicious activity

Operational Audit Arsenal

Target Type DLL

Target Asset VBE6.dll

Standard Path C:\Program Files\Microsoft Office\Office\VBE6.dll

PowerShell

# 🛠️ Senior Engineer Universal Audit
# Target: VBE6.dll (DLL)
$Targets = 'VBE6.dll'
$SearchPaths = @("$env:windir\System32", "$env:ProgramFiles", "${env:ProgramFiles(x86)}")

Get-ChildItem -Path $SearchPaths -Include $Targets -Recurse -ErrorAction SilentlyContinue | 
Select-Object FullName, @{Name="Version";Expression={$_.VersionInfo.ProductVersion}}