CVE-2012-0016

Microsoft Expression Design - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-0016.

AI-analyzed exploit summary This Metasploit module exploits CVE-2013-0074 (incorrectly referenced as CVE-2012-0016 in the query) in Microsoft Silverlight by leveraging unsafe memory access in the Initialize() method of System.Windows.Browser.ScriptObject, combined with an info leak in WriteableBitmap to bypass DEP/ASLR. It delivers a malicious XAP file to achieve remote code execution on vulnerable IE browsers.

Description

Untrusted search path vulnerability in Microsoft Expression Design; Expression Design SP1; and Expression Design 2, 3, and 4 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .xpr or .DESIGN file, aka "Expression Design Insecure Library Loading Vulnerability."

Exploits (1)

exploitdb WORKING POC

rubyremotewindows

https://www.exploit-db.com/exploits/29858

View Code ZIP pw:eip

This Metasploit module exploits CVE-2013-0074 (incorrectly referenced as CVE-2012-0016 in the query) in Microsoft Silverlight by leveraging unsafe memory access in the Initialize() method of System.Windows.Browser.ScriptObject, combined with an info leak in WriteableBitmap to bypass DEP/ASLR. It delivers a malicious XAP file to achieve remote code execution on vulnerable IE browsers.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Microsoft Silverlight (via Internet Explorer 6-10)

No auth needed

Prerequisites: Victim must visit a malicious webpage using Internet Explorer 6-10 with Silverlight installed

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-022

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14973

US Government Resource third-party-advisory x_refsource_cert

http://www.us-cert.gov/cas/techalerts/TA12-073A.html

Scores

EPSS 0.4402

EPSS Percentile 97.6%

Details

Status published

Products (4)

microsoft/expression_design (2 CPE variants)

microsoft/expression_design 2

microsoft/expression_design 3

microsoft/expression_design 4

Published Mar 13, 2012

Tracked Since Feb 18, 2026