Popular workplace productivity software suite WPS Office had a vulnerability that allowed some threat actors to deploy backdoors on their targets' endpoints, experts said.
ESET cybersecurity researchers discovered that WPS Office was vulnerable to an improper path validation flaw, tracked as CVE-2024-7262. It has a severity score of 9.3 (critical) and affects several versions (from 12.2.0.13110 to 12.1.0.16412). The first patch to fix the issue was released in March 2024, but some threat actors were reportedly already exploiting it a month earlier.
A South Korean state-sponsored group known as APT-C-60 was using the flaw to install a backdoor called SpyGlace on endpoints in East Asia, which makes sense since WPS Office is quite popular in that part of the world and reportedly has over 500 million active users. SpyGlace appears to be a new type of malware, since there have been no reports of it before this incident.
Failed to apply patch
Kingsoft, the company behind WPS Office, released a patch for the incorrect path validation flaw in March 2024, but the patch did not completely fix the issue. As a result, it introduced an additional vulnerability, tracked as CVE-2024-7263, which was patched two months later in May.
While no threat actors seem to have noticed the newly introduced bug, no one was exploiting it; however, it's likely only a matter of time before someone picks up the trail.
To maintain security and address both vulnerabilities, WPS Office users are advised to update their software to the latest version without hesitation. The first “clean” version is 12.2.0.17119.
“The exploit is clever, as it is deceptive enough to trick any user into clicking on a legitimate-looking spreadsheet, while at the same time being highly effective and reliable,” ESET stated in its report. “The choice of the MHTML file format allowed the attackers to turn a code execution vulnerability into a remote exploit.”
Through Computer beeping