Critical Security Flaws Detected in WPS Office, Immediate Upgrade Recommended

According to a report released by cybersecurity firm ESET, WPS Office, the popular office software suite under Kingsoft Office, has recently been found to contain two critical security vulnerabilities. These vulnerabilities, identified as CVE-2024-7262 and CVE-2024-7263, both received a severity rating of 9.3 out of 10.

These vulnerabilities enable attackers to perform Remote Code Execution (RCE). ESET has observed that these security flaws have been weaponized, with attackers crafting specialized spreadsheets designed to exploit these vulnerabilities for phishing attacks.

Technical Details of the Vulnerabilities:

The vulnerabilities are located within the promecefoluginhost.exe component of WPS Office. Specifically, CVE-2024-7262 affects versions 12.2.0.13110 to 12.2.0.13489, while CVE-2024-7263 impacts versions 12.2.0.13110 to 12.2.0.17153.

The issue stems from improper path validation, allowing attackers to load and execute arbitrary Windows libraries. To exploit these vulnerabilities, an attacker must first create a spreadsheet containing malicious code. This spreadsheet is then distributed via email, download sites, or other means to the target user. Once opened by the victim, the attacker can remotely execute arbitrary code, including taking control of the target device to steal sensitive information.

Patch Updates:

In response to CVE-2024-7262, Kingsoft Office released version 12.2.0.16909 as a fix. However, researchers soon discovered that the fix was incomplete, with CVE-2024-7262 affecting  version below 12.2.0.17153 (excluding this version). This oversight, due to not properly cleaning up additional parameters, allowed attackers to reload Windows libraries and bypass Kingsoft's security measures.

Following feedback from researchers, Kingsoft Office then released version 12.2.0.17153 to address the issue. Consequently, all users are advised to check and upgrade to the latest version to ensure the vulnerabilities are fully resolved.

It's worth noting that there are unconfirmed reports suggesting the issue only affects the international version of WPS Office, with the Chinese version reportedly not impacted. However, without confirmation, it's recommended that both international and Chinese version users upgrade immediately to ensure safety.

Lastly, a reminder to all users, especially corporate ones, to carefully check the sender and attachments of emails claiming to contain quotations, invoices, and similar content. Avoid opening them directly to prevent attacks from malicious code.