Microsoft issued an out-of-band advisory this week to address Autodesk FBX vulnerabilities in Office, Office 365, and Paint 3D.
Multiple bugs that were addressed in the Autodesk FBX software development kit (SDK) earlier this month could lead to code execution and denial of service conditions.
All applications and services using the FBX-SDK Ver. 2020.0 or earlier could be impacted by “buffer overflow, type confusion, use-after-free, integer overflow, NULL pointer dereference, and heap overflow vulnerabilities,” Autodesk explains.
The addressed bugs are tracked as CVE-2020-7080 (leading to code execution), CVE-2020-7081 (leading to code execution or denial of service), CVE-2020-7082 (code execution), CVE-2020-7083 (denial of service), CVE-2020-7084 (denial of service), and CVE-2020-7085 (code execution).
According to Microsoft, the use of the Autodesk FBX library in some of its products has resulted in remote code execution vulnerabilities that are triggered when processing specially crafted 3D content.
An attacker able to exploit the bugs could gain the same user rights as the local user, Microsoft says. To target the vulnerabilities, the attacker would need to send a specially crafted file containing 3D content to the user, and lure them into opening the file.
“The security updates address these vulnerabilities by correcting the way 3D content is handled by Microsoft software,” the tech giant notes in an advisory.
No mitigating factors or workarounds have been identified.
“Microsoft has labeled this as a remote code execution vulnerability; however, it’s important to note that this vulnerability requires a user to open a malicious file, which is not remote execution,” Ryan Seguin, Research Engineer, Tenable, said in an emailed comment.
“Some may question how Microsoft Office is vulnerable to an Autodesk vulnerability. It’s not poor security practices on Microsoft’s part by any means, but vulnerabilities like these are a good example of how incorporating another group’s tools and code means that you also incorporate their vulnerabilities into your own product – in this case, Microsoft Office, Office 365 ProPlus, and Paint 3D,” Seguin continued.
Although the out-of-band advisory was published this week, patches for the vulnerable software are expected to arrive as part of May’s Patch Tuesday.