You are currently viewing Microsoft out-of-band Security Updates for Office and Paint 3D

Microsoft out-of-band Security Updates for Office and Paint 3D

  • Post author:
  • Reading time:5 mins read

Microsoft released an out-of-band security update addressing multiple vulnerabilities that plug remote code execution vulnerabilities in an Autodesk FBX library incorporated into Microsoft Office, Office 365 ProPlus and Paint 3D applications. A vulnerability management tool can detect multiple vulnerabilities.

Though the updates for these vulnerabilities are rated “Important” in severity, they allow remote code execution on affected products. Tracking the vulnerabilities as CVE-2020-7080, CVE-2020-7081, CVE-2020-7082, CVE-2020-7083, CVE-2020-7084, and CVE-2020-7085. All these vulnerabilities can be patched using a patch management tool.

According to Microsoft’s Tuesday advisory. “Remote code execution vulnerabilities exist in Microsoft products that utilize the FBX library when processing specially crafted 3D content”.


Following are the details of the vulnerabilities in autodesk fbx library :

1) CVE-2020-7080: A buffer overflow vulnerability exists in the Autodesk FBX-SDK versions 2019.0 and earlier that might lead to arbitrary code execution. For successful exploitation of the vulnerability, an attacker could trick a user into opening a malevolent FBX file. Resulting in exploiting a buffer overflow vulnerability in FBX’s SDK allowing to run arbitrary code on the affected system.

2) CVE-2020-7081: A type confusion vulnerability exists in the Autodesk FBX-SDK versions 2019.0 and earlier that might lead to arbitrary code execution. For successful exploitation of the vulnerability, an attacker could lure a user to open a malevolent FBX file. Resulting in exploitation of type confusion vulnerability in FBX’s SDK, letting an attacker to read/write out-of-bounds memory location,  run arbitrary code on the affected system or leading to a denial of service (DoS).

3) CVE-2020-7082: A use-after-free vulnerability exists in the Autodesk FBX-SDK versions 2019.0 and earlier that might lead to remote code execution. For successful exploitation of the vulnerability, an attacker could persuade a user to open a maliciously crafted FBX file. Resulting in exploitation of the use-after-free vulnerability in FBX’s SDK. Allowing an application to reference a memory location which an unauthorized third party controls. Letting an attacker run arbitrary code on the compromised system.

More Details:

4) CVE-2020-7083: An integer overflow vulnerability exists in the Autodesk FBX-SDK versions 2019.0 and earlier that might lead to denial of service(DoS) of the application. For successful exploitation of the vulnerability, an attacker could trick a user to open a noxiously crafted FBX file. Resulting in exploitation of an integer overflow vulnerability in FBX’s SDK leading to denial of service(DoS).

5) CVE-2020-7084: A NULL pointer dereference vulnerability exists in the Autodesk FBX-SDK versions 2019.0 and earlier. That might lead to denial of service(DoS) of the application. For successful exploitation of the vulnerability, an attacker could lure a user into opening a noxious FBX file. Resulting in the exploitation of a Null Pointer Dereference vulnerability in FBX’s SDK causing a denial of service(DoS).

6) CVE-2020-7085: A heap overflow vulnerability exists in the Autodesk FBX-SDK versions 2019.2 and earlier may lead to arbitrary code execution. For successful exploitation of the vulnerability, an attacker could lure the user into opening a maliciously crafted FBX file resulting in the exploitation of the heap overflow vulnerability and gain limited code execution by altering certain values in an FBX file, granting an attacker to run arbitrary code on the compromised system.


Affected Products

  • Microsoft Office 2016
  • Microsoft Office 2019
  • Office 365 ProPlus
  • Paint 3D

Solution

Microsoft has released a security advisory to fix these vulnerabilities.

SanerNow security content has been published to detect this vulnerability. We strongly recommend installing these security updates without any delay.