A week after the April 2020 Patch Tuesday, Microsoft has released out-of-band security updates for its Office suite, to fix a handful of vulnerabilities that attackers could exploit to achieve remote code execution.
At the same time, a security update has also been released for Paint 3D, the company’s free app for creating 3D models, because the source of the fixed vulnerabilities is something that both Office and Paint 3D have in common: the Autodesk FBX library.
About the vulnerabilities
Autodesk – the company behind the popular AutoCAD software but also a variety of other specialized apps used by architects, engineers, digital media creators, manufacturers, etc. – fixed six vulnerabilities (CVE-2020-7080 through CVE-2020-7085) in its FBX Software Developer Kit (SDK).
All can be triggered if a user is tricked into opening a specially crafted, malicious FBX file, and can either create a DoS condition or make the application run arbitrary code on the underlying system.
Since the Autodesk FBX library is integrated into MS Office apps and the Paint 3D app, them processing specially crafted 3D content may lead to remote code execution.
“An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft explained.
What to do?
To exploit the vulnerabilities, an attacker must send a specially crafted file containing 3D content to a user and convince them to open it. (Just viewing it through the Preview Pane is not enough to trigger the exploitation.)
The fact that exploitation requires user interaction makes the vulnerabilities important but not critical. Nevertheless, tricking users into opening random files is, unfortunately, something that attackers know how to do well.
There are no mitigating factors or workarounds for the flaws, so users and admins are urged to implement the provided updates, especially if they often deal with FBX files.