Microsoft released patches for numerous security bugs that somehow affected Office and Paint 3D apps. The bugs existed in the Autodesk FBX library and affected Microsoft products as they deal with FBX files.
Microsoft Addressed Autodesk 3D Bugs
Reportedly, Microsoft has recently shared an out-of-band for Office and Paint 3D. These updates address the security bugs that exist in Autodesk 3D software.
Although, Autodesk is a separate entity known for AutoCAD software. However, Microsoft’s Paint 3D and Office tools have the Autodesk FBX library integrated, and they support FBX files. Therefore, the vulnerabilities also affected Microsoft products.
According to Autodesk’s advisory, as much as six different vulnerabilities existed in the library that affected all applications using FBX-SDK Ver. 2020.0 or earlier.
These include a buffer overflow (CVE-2020-7080), type confusion (CVE-2020-7081), use-after-free (CVE-2020-7082), integer overflow (CVE-2020-7083), NULL pointer dereference (CVE-2020-7084), and heap overflow (CVE-2020-7085) vulnerabilities.
Of these, at least five could allow remote code execution attacks, whereas, the remaining one could create a denial of service.
Consequently, Microsoft also acknowledged the impact of these security bugs on its products. Exploiting the flaws merely required an adversary to lure the victim to open a maliciously crafted file with 3D content. As stated in their advisory,
Remote code execution vulnerabilities exist in Microsoft products that utilize the FBX library when processing specially crafted 3D content. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Updated Released For Microsoft Office And Paint 3D
As elaborated by Microsoft, the vulnerabilities affected Microsoft Paint 3D, 3D Viewer, Microsoft Office 2019 (32-bit and 64-bit), and Office 365 ProPlus (32-bit and 64-bit).
Although, the tech giant had already released the fixes for Office apps with March and April updates. Users can manually update their Office by opening any office app and following this path: File > Account > Update Options > Update Now.
Fixes for 3D Viewer and Paint 3D are available with 3D Viewer version 7.2003.11022.0, and Paint3D version 6.2003.4017.0 respectively.