Update to Version 17.0.0 Recommended to Thwart ‘Dirty Steam’ Attack

  • Last updated May 15, 2024
  • written by

A significant security flaw has been discovered in WPS Office for Android, placing the data integrity of over half a billion users at risk. The vulnerability officially cataloged as CVE-2024-35205 has been rated with a medium severity score of 4.2.

According to reports, the issue’s core lies in “Path Traversal in the File Name Handler component of the application.” This vulnerability has opened doors for attackers to manipulate the path name handling functions of WPS Office, which “lacks proper sanitization of file names before they are processed.”

This defect could potentially allow malicious entities to execute arbitrary commands under the guise of the application’s ID.


Further complicating the vulnerability is its classification as part of the broader “Dirty Steam” attack methodology. As detailed by Microsoft, this involves attackers “connecting to remote file shares using FTP and SMB protocols with the user credentials stored in plain text in a file on Android.

The good news for users is that the latest software update has already addressed this critical vulnerability. WPS Office has released version 17.0.0 for Android, which patches this flaw. Users are urged to “upgrade to the latest version to prevent the exploitation of this vulnerability by threat actors.” It is also recommended to use the best VPNs to protect and secure your online visibility.

In response to the discovery, WPS Office has acted swiftly to mitigate any potential damage and reinforce the security of its popular office suite, which supports documents, spreadsheets, and presentations, among other features. These measures were severely needed as the number of individuals impacted by phishing attacks globally in 2024 could exceed 1.1 million, indicating a continuous upward trend in phishing incidents.

Leave a Reply

Your email address will not be published. Required fields are marked *