Microsoft issued an out-of-band advisory this week to address Autodesk FBX vulnerabilities in Office, Office 365, and Paint 3D.
Multiple bugs that were addressed in the Autodesk FBX software development kit (SDK) earlier this month could lead to code execution and denial of service conditions.
All applications and services using the FBX-SDK Ver. 2020.0 or earlier could be impacted by “buffer overflow, type confusion, use-after-free, integer overflow, NULL pointer dereference, and heap overflow vulnerabilities,” Autodesk explains.
The addressed bugs are tracked as CVE-2020-7080 (leading to code execution), CVE-2020-7081 (leading to code execution or denial of service), CVE-2020-7082 (code execution), CVE-2020-7083 (denial of service), CVE-2020-7084 (denial of service), and CVE-2020-7085 (code execution).
According to Microsoft, the use of the Autodesk FBX library in some of its products has resulted in remote code execution vulnerabilities that are triggered when processing specially crafted 3D content.
An attacker able to exploit the bugs could gain the same user rights as the local user, Microsoft says. To target the vulnerabilities, the attacker would need to send a specially crafted file containing 3D content to the user, and lure them into opening the file.
“The security updates address these vulnerabilities by correcting the way 3D content is handled by Microsoft software,” the tech giant notes in an advisory.
No mitigating factors or workarounds have been identified.
“Microsoft has labeled this as a remote code execution vulnerability; however, it’s important to note that this vulnerability requires a user to open a malicious file, which is not remote execution,” Ryan Seguin, Research Engineer, Tenable, said in an emailed comment.
“Some may question how Microsoft Office is vulnerable to an Autodesk vulnerability. It’s not poor security practices on Microsoft’s part by any means, but vulnerabilities like these are a good example of how incorporating another group’s tools and code means that you also incorporate their vulnerabilities into your own product – in this case, Microsoft Office, Office 365 ProPlus, and Paint 3D,” Seguin continued.
Although the out-of-band advisory was published this week, patches for the vulnerable software are expected to arrive as part of May’s Patch Tuesday.
More from Ionut Arghire
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- Apria Healthcare Notifying 2 Million People of Years-Old Data Breaches
- European Cybersecurity Firm Sekoia.io Raises $37.5 Million
- GitLab Security Update Patches Critical Vulnerability
- Android App With 50,000 Downloads in Google Play Turned Into Spyware via Update
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
