ESET Discovers Vulnerability in WPS Office for Windows

ESET Discovers Vulnerability in WPS Office for Windows

ESET researchers discovered a remote code execution vulnerability in WPS Office for Windows (CVE-2024-7262). It was being exploited by APT-C-60, a South Korea-aligned cyberespionage group, to target East Asian countries. When examining the root cause, ESET discovered another way to exploit the faulty code (CVE-2924-7263). Following a coordinated disclosure process, both vulnerabilities are now patched. The final payload in the APT-C-60 attack is a custom backdoor with cyberespionage capabilities that ESET Research internally named SpyGlace.

“While investigating APT-C-60 activities, we found a strange spreadsheet document referencing one of the group’s many downloader components. The WPS Office software has over 500 million active users worldwide, which makes it a good target to reach a substantial number of individuals, particularly in the East Asia region,” says ESET researcher Romain Dumont, who analyzed the vulnerabilities. During the coordinated vulnerability disclosure process between ESET and the vendor, DBAPPSecurity independently published an analysis of the weaponized vulnerability and confirmed that APT-C-60 has exploited the vulnerability to deliver malware to users in China.

The malicious document comes as an MHTML export of the commonly used XLS spreadsheet format. However, it contains a specially crafted and hidden hyperlink designed to trigger the execution of an arbitrary library if clicked when using the WPS Spreadsheet application. The rather unconventional MHTML file format allows a file to be downloaded as soon as the document is opened; therefore, leveraging this technique while exploiting the vulnerability provides for remote code execution.

“To exploit this vulnerability, an attacker would need to store a malicious library somewhere accessible by the targeted computer either on the system or on a remote share, and know its file path in advance. The exploit developers targeting this vulnerability knew a couple of tricks that helped them achieve this,” explains Dumont. “When opening the spreadsheet document with the WPS Spreadsheet application, the remote library is automatically downloaded and stored on disk,” he adds.

Since this is a one-click vulnerability, the exploit developers embedded a picture of the spreadsheet’s rows and columns inside to deceive and convince the user that the document is a regular spreadsheet. The malicious hyperlink was linked to the image so that clicking on a cell in the picture would trigger the exploit.

“Whether the group developed or bought the exploit for CVE-2024-7262, it definitely required some research into the internals of the application but also knowledge of how the Windows loading process behaves,” concludes Dumont.

After analyzing Kingsoft’s silently released patch, Dumont noticed that it had not properly corrected the flaw and discovered another way to exploit it due to an improper input validation. ESET Research reported both vulnerabilities to Kingsoft, who acknowledged and patched them. Two high severity CVE entries were created: CVE-2024-7262 and CVE-2024-7263.

The discovery underlines the importance of a careful patch verification process and making sure that the core issue has been addressed in full. ESET strongly advises WPS Office for Windows users to update their software to the latest release.

 

Are pre-owned smartphones safe?

Are pre-owned smartphones safe?

Phil Muncaster, guest writer at ESET, explains that buying a pre-owned phone…
Why your cloud security strategy may be obsolete by 2025?

Why your cloud security strategy may be obsolete by 2025?

John Engates, Field CTO of Cloudflare, warns that within 18 months,…
Shaping the Future of Connectivity with 5G Network APIs

Shaping the Future of Connectivity with 5G Network APIs

Lucky La Riccia, Vice President and Head of Cloud Software and…
OmniOps secures $8 million from GMS Capital Ventures

OmniOps secures $8 million from GMS Capital Ventures

OmniOps, the first Saudi Arabia-based AI Infrastructure Technology provider, announced the successful…
lechef all set to transform workplace dining in the region

lechef all set to transform workplace dining in the region

Saudi-based serial entrepreneur Eugen Brikcius announced the launch of its new food…
Clemta ready to cater entrepreneurs in the region

Clemta ready to cater entrepreneurs in the region

Clemta, the one-stop shop for global entrepreneurs incorporating in the US, has…