Kingsoft Office Remote Code Execution

Product Kingsoft Office
Severity High
CVE Reference CVE-2014-2271
Type Remote Code Execution through MitM Attack on Kingsoft Office Application

MWR have discovered a vulnerability in the Kingsoft Office application, shipped by default with the Huawei P2 mobile phone. The vulnerability takes advantage of an SSL connection falling back to a clear text connection in order to inject content into a WebView with a vulnerable JavaScript bridge. Exploiting this issue allows an attacker to remotely execute commands on the device in the context of the Kingsoft Office application.

The advisory can be downloaded here.