Hackers have exploited a WPS Office zero-day to spread dangerous malware
Popular workplace productivity software WPS Office contained a vulnerability that could allow attackers to install backdoors on targets’ endpoints, experts claim.
Cybersecurity researchers at ESET discovered that WPS Office was vulnerable to an improper path validation error, tracked as CVE-2024-7262. It has a severity rating of 9.3 (critical) and affects multiple versions (from 12.2. 0. 13110 to 12.1. 0. 16412). The first patch to fix the issue was released in March 2024, but some threat actors reportedly exploited it a month earlier.
A South Korean state-sponsored group known as APT-C-60 used the flaw to drop a backdoor called SpyGlace on endpoints in East Asia, which makes sense since WPS Office is quite popular in that part of the world and reportedly has over 500 million active users. SpyGlace appears to be a brand-new piece of malware, as there were no reports of it prior to this incident.
Do not patch
Kingsoft, the company behind WPS Office, released a patch for the incorrect path validation flaw in March 2024, but the patch did not fully address the issue. As a result, it introduced an additional vulnerability, tracked as CVE-2024-7263, which was fixed two months later in May.
While no threat actors seem to have noticed the new bug, no one is exploiting it. However, chances are it’s only a matter of time before someone picks up the trail.
To stay safe and address both vulnerabilities, WPS Office users are advised to update their software to the latest version without hesitation. The first “clean” version is 12.2.0.17119.
“The exploit is deceptive enough to trick any user into clicking on a legitimate-looking spreadsheet, while also being very effective and reliable,” ESET said in its report. “The choice of the MHTML file format allowed the attackers to turn a code execution vulnerability into a remote vulnerability.”
Via BleepingComputer