Microsoft issued an out-of-band advisory this week to address Autodesk FBX vulnerabilities in Office, Office 365, and Paint 3D.
Multiple bugs that were addressed in the Autodesk FBX software development kit (SDK) earlier this month could lead to code execution and denial of service conditions.
All applications and services using the FBX-SDK Ver. 2020.0 or earlier could be impacted by “buffer overflow, type confusion, use-after-free, integer overflow, NULL pointer dereference, and heap overflow vulnerabilities,” Autodesk explains.
The addressed bugs are tracked as CVE-2020-7080 (leading to code execution), CVE-2020-7081 (leading to code execution or denial of service), CVE-2020-7082 (code execution), CVE-2020-7083 (denial of service), CVE-2020-7084 (denial of service), and CVE-2020-7085 (code execution).
According to Microsoft, the use of the Autodesk FBX library in some of its products has resulted in remote code execution vulnerabilities that are triggered when processing specially crafted 3D content.
An attacker able to exploit the bugs could gain the same user rights as the local user, Microsoft says. To target the vulnerabilities, the attacker would need to send a specially crafted file containing 3D content to the user, and lure them into opening the file.
“The security updates address these vulnerabilities by correcting the way 3D content is handled by Microsoft software,” the tech giant notes in an advisory.
No mitigating factors or workarounds have been identified.
“Microsoft has labeled this as a remote code execution vulnerability; however, it’s important to note that this vulnerability requires a user to open a malicious file, which is not remote execution,” Ryan Seguin, Research ..
Support the originator by clicking the read the rest link below.
