Microsoft has released an out-of-band security update that fixes remote code execution vulnerabilities in an Autodesk FBX library integrated into Microsoft Office and Paint 3D applications.
Last month, Autodesk issued security updates for their Autodesk FBX Software Development Kit that resolves remote code execution and denial of service vulnerabilities caused by specially crafted FBX files.
An FBX file is an Autodesk file format that is used to store 3D models, assets, shapes, and animations.
To exploit these vulnerabilities, an attacker would create a malicious FBX file that would exploit “buffer overflow, type confusion, use-after-free, integer overflow, NULL pointer dereference, and heap overflow vulnerabilities” to perform a DoS attack or remotely execute code.
Microsoft Office uses the Autodesk FBX library
As the Microsoft Office 2016, Microsoft 2019, Office 365, and Paint 3D applications utilize the Autodesk FBX library, Microsoft has released today new security updates that resolve these remote code execution and DoS vulnerabilities in their products.
In an advisory titled “ADV200004 | Availability of updates for Microsoft software utilizing the Autodesk FBX library”, Microsoft explains that opening malicious FBX files in Office applications could lead to remote code execution.
Microsoft is announcing the release of updates to address multiple vulnerabilities found in the Autodesk FBX library which is integrated into certain Microsoft applications. Details about the vulnerabilities can be found here – https://www.autodesk.com/trust/security-advisories/adsk-sa-2020-0002
Remote code execution vulnerabilities exist in Microsoft products that utilize the FBX library when processing specially crafted 3D content. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
To exploit the vulnerabilities, an attacker must send a specially crafted file containing 3D content to a user and convince them to open it.
The security updates address these vulnerabilities by correcting the way 3D content is handled by Microsoft software.
How to install the Microsoft Office security updates
To install these security updates now, Office users can open an Office application, click on the File menu option, and then select Account.
When the account page opens, on the right, you will see a section titled “Office Updates” with a button labeled ‘Update Options’. Click on this button and select Update Now.
Microsoft Office will now check for and install any available updates.
Once the updates are downloaded and installed, Microsoft Office will need to restart your Office applications. Be sure to save any open documents before doing so.
The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.