In a recent cybersecurity incident, a South Korean APT group exploited a critical vulnerability in WPS Office, a popular office software widely used in China, to spy on high-profile targets. This breach shed light on other security issues within the software, posing a significant threat to its massive user base.
WPS Office, a free alternative to Microsoft Office, boasts over 600 million monthly active users, predominantly in China where it holds a dominant market share. A recent service outage caused widespread disruptions across various sectors in the country, highlighting the software’s integral role in everyday operations.
The software’s prevalence makes it an appealing target for cyber threats, as demonstrated by the APT-C-60 group’s deployment of a custom backdoor named “SpyGlace” through an exploit in WPS Office earlier this year. The group’s motive, as reported by China-based DBAPPSecurity, was to gather intelligence on China-South Korea relations.
An RCE Bug in WPS Office
Researchers from ESET uncovered a malicious spreadsheet document disguised as an MHTML file, leveraging an exploit to deliver malware via WPS Office. The attack mechanism involved tricking users into activating a hidden malicious link within the spreadsheet, leading to the installation of the backdoor.
Source: ESET
The vulnerability stemmed from a flaw in promecefpluginhost.exe, a plug-in component in WPS Office, which allowed the execution of malicious code through a custom protocol handler. Tracked as CVE-2024-7262, this critical issue affected a wide range of WPS Office versions for Windows.
A Second Bug in WPS Office
Following a partial fix for CVE-2024-7262, a subsequent vulnerability, now known as CVE-2024-7263, was identified and remained unaddressed for some time. Despite efforts to patch the initial issue, the software’s security remained compromised, urging all WPS users to promptly update their systems to mitigate the risk of exploitation.