The popular WPS Office workplace productivity software suite carried a vulnerability which allowed some threat actors to deploy backdoors to their target’s endpoints, experts have claimed.
Cybersecurity researchers at ESET found WPS Office was vulnerable to an improper path validation flaw, tracked as CVE-2024-7262. It carries a severity score of 9.3 (critical), and impacts multiple versions (from 12.2.0.13110, to 12.1.0.16412). The first patch to address the issue came out in March 2024, but some threat actors were allegedly already exploiting it a month earlier.
A South Korean state-sponsored group, known as APT-C-60, was using the flaw to drop a backdoor called SpyGlace to endpoints in East Asia, which makes sense, since WPS Office is quite popular in that part of the world and reportedly has more than 500 million active users. SpyGlace seems to be a brand new piece of malware, since there are no reports of it prior to this incident.
Failing to patch
Kingsoft, the company behind WPS Office, released a patch for the improper path validation flaw in March 2024, but the patch did not fully address the problem. As a result, it introduced an additional vulnerability, tracked as CVE-2024-7263, which was fixed two months later, in May.
While no threat actors seem to have noticed the newly introduced bug, no one was exploiting it – however, chances are it’s only a matter of time before someone picks up the trail.
To remain secure, and address both vulnerabilities, WPS Office users are advised to update their software to the latest version, without hesitation. The first “clean” version is 12.2.0.17119.
“The exploit is cunning as it is deceptive enough to trick any user into clicking on a legitimate-looking spreadsheet while also being very effective and reliable,” ESET said in its report. “The choice of the MHTML file format allowed the attackers to turn a code execution vulnerability into a remote one.”
Via BleepingComputer