In a recent development earlier this year, a serious security breach was identified in WPS Office, a widely used office software in China, that allowed a South Korean advanced persistent threat (APT) group to conduct espionage activities targeting high-profile individuals and organizations in China. This incident shed light on the vulnerabilities present in the popular office suite, highlighting potential risks for its vast user base.
WPS Office, a free competitor to Microsoft Office, boasts a significant user base of 600 million monthly active users as of June. Particularly prevalent in China, where it holds over 90% market share in mobile office software, WPS Office is extensively utilized across various sectors including government agencies and telecommunications companies. A recent service outage that lasted half a day caused significant disruptions in the country, underscoring the software’s widespread adoption and critical role in daily operations.
The intrinsic ubiquity of WPS Office, coupled with the sensitive nature of documents often processed through the platform, makes it an appealing target for cybercriminals seeking to infiltrate Chinese entities. APT-C-60, also known as Pseudo Hunter, exploited a critical flaw in the software earlier this year to deploy a custom backdoor named “SpyGlace” to infiltrate WPS users via an arbitrary code execution exploit. The aim of this cyber campaign, according to China-based DBAPPSecurity, was to gather intelligence on China-South Korea relations, highlighting the geopolitical implications of such breaches.
The specific vulnerability that facilitated the APT group’s malicious activities within WPS Office was identified as an RCE (remote code execution) bug. Researchers from ESET discovered a suspicious spreadsheet document uploaded to VirusTotal, encapsulated in an MHTML file format that contained a disguised malicious link. Victims who interacted with the spreadsheet inadvertently triggered the download of the backdoor, enabling unauthorized access to their systems. The flaw originated from an insecure plug-in component, promecefpluginhost.exe, that failed to validate file paths, allowing malicious code execution through a custom protocol handler registered by WPS.
Designated as CVE-2024-7262, this critical vulnerability was assigned a severity score of 9.3 out of 10 on the CVSS scale, affecting WPS Office for Windows versions released within the past year. Despite a patch being released in March, subsequent assessments unveiled additional vulnerabilities that had not been effectively addressed. A secondary bug, CVE-2024-7263, surfaced in late April due to incomplete sanitization of parameters, posing similar risks of remote code execution.
In response to these security concerns, WPS developer Kingsoft implemented a twofold fix for the original vulnerability, albeit with lingering vulnerabilities that were later patched. In light of these findings, security experts emphasize the importance of promptly updating WPS Office to mitigate the risks posed by these critical vulnerabilities. Users are urged to exercise caution while using the software and remain vigilant against potential cyber threats that exploit such weaknesses. By staying informed and proactive in applying necessary patches, individuals and organizations can fortify their defenses against cyber attacks targeting popular software platforms like WPS Office.