Cybersecurity firm ESET Research discovered two critical zero-day vulnerabilities in WPS Office for Windows, which were exploited by a South Korea-aligned cyberespionage group, APT-C-60, to deliver malware to users in China.
Developed by Zhuhai-based Chinese software firm Kingsoft, WPS Office is a popular office productivity suite, especially in East Asian regions. It has more than 500 million active users worldwide.
ESET Research discovered the first critical zero-day, identified as CVEโ2024?-?7262 (CVSS score: 9.3), during an investigation into APT-C-60โs activities. They found a strange spreadsheet document linked to the hacking groupโs downloader components.
Further analysis by ESET led to the discovery of a code execution vulnerability in WPS Office for Windows that was being exploited in the wild by APT-C-60 to install the custom โSpyGlaceโ backdoor, also known as TaskControler.dll, to target East Asian countries.
This flaw stemmed from the lack of sanitization of an attacker-provided file path and the lack of validation of the plugin being loaded. Leveraging this vulnerability allowed code execution via hijacking the control flow of the WPS Office plugin component promecefpluginhost.exe.
APT-C-60 created malicious spreadsheet documents disguised as standard MHTML exports of Microsoft Excel (XLS) files. These documents contained hidden hyperlinks designed to trigger the execution of an arbitrary library if clicked when using the WPS Spreadsheet application.
โTo exploit this vulnerability, an attacker would need to store a malicious library somewhere accessible by the targeted computer either on the system or on a remote share, and know its file path in advance. The exploit developers targeting this vulnerability knew a couple of tricks that helped them achieve this,โ explained ESET researcher Romain Dumont, who analyzed the flaw.
โWhen opening the spreadsheet document with the WPS Spreadsheet application, the remote library is automatically downloaded and stored on disk,โ the researcher added.
โSince this is a one-click vulnerability, the exploit developers embedded a picture of the spreadsheetโs rows and columns inside the spreadsheet in order to deceive and convince the user that the document is a regular spreadsheet.โ
According to ESET, WPS Office developer Kingsoft silently patched the zero-dayย bug in question (CVE-2024-7262) when it released version 12.1.0.16412.ย However, during the patch analysis, ESET researchersย discovered that Kingsoft hadnโt fully remediated the issue.
During the patch analysis for CVE-2024-7262, ESET researchers discovered a second severe vulnerability, CVE-2024-7263 (CVSS score of 9.3), that could enable hackers to exploit it via improper input validation.
ESET Research reported both vulnerabilities to Kingsoft, which acknowledged them and has now been patched by the WPS Office. The affected versions of WPS Office for Windows range from 12.2.0.13110, which was released around August 2023, until the release of the patched version 12.2.0.17119 at the end of May 2024.
To mitigate these risks, ESET strongly recommends all users of WPS Office for Windows to update their software to the latest release immediately.