Microsoft has released an out-of-band security update for Microsoft Office, Office 365 ProPlus and Paint 3D. The applications are affected by multiple Autodesk vulnerabilities that, if exploited, could enable remote code execution.
The flaws, all rated “important” in severity, are tied to six CVEs stemming from Autodesk’s library for FBX, a popular file format format that supports 3D models. This library is integrated into certain Microsoft applications.
“Remote code execution vulnerabilities exist in Microsoft products that utilize the FBX library when processing specially crafted 3D content,” according to Microsoft’s Tuesday advisory.
Affected products include Office 365 ProPlus (for 32- and 64-bit systems), which is Microsoft’s subscription that comes with premium apps like Word, Excel, PowerPoint, Outlook and Teams; as well as Paint 3D (formerly known as Microsoft Paint), Microsoft’s 3D modeling and printing application. Microsoft Office 2016 (Click-to-Run for 32- and 64-bit editions) and Microsoft Office 2019 (for 32- and 64-bit editions) are also impacted.
The Autodesk flaws all stem from FBX’s software development kit (SDK). They include a high-severity buffer overflow flaw (CVE-2020-7080) that could enable an attacker to run arbitrary code, a type confusion vulnerability (CVE-2020-7081) that could allow an attacker to read/write out-of-bounds memory location or run arbitrary code on the system or lead to denial-of-service (DoS), and a use-after-free glitch (CVE-2020-7082) that could cause an application to reference a memory location controlled by an unauthorized third party – allowing them to run arbitrary code on the system.
Other flaws include an integer overflow vulnerability (CVE-2020-7083) that could be abused to cause the application to crash (leading to DoS), and a Null Pointer Dereference vulnerability (CVE-2020-7084) that could enable a DoS attack.
Finally, a high-severity heap overflow flaw in vulnerable FBX parsers (CVE-2020-7085) can be abused to obtain a limited code execution by altering certain values in a FBX file, causing the application to run arbitrary code on the system.
The latter flaw was reported by F-Secure security researcher Max Van Amerongen, who demonstrated his proof-of-concept (PoC) exploit for the flaw on Twitter.
My Autodesk FBX Heap Overflow (CVE-2020-7085) has now been disclosed at https://t.co/jvumWcCZE7
Works on FBX SDK < 2019.5
PoC video from disclosure: pic.twitter.com/vayCIomgaP
— maxpl0it (@maxpl0it) April 17, 2020
Real Life Attack
In a real life scenario, an attacker would need to send a specially crafted file (containing 3D content) to a user and convince them to open it in order to exploit the flaws.
An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user, according to Microsoft.
“Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” it said.
The security updates addresses these vulnerabilities by correcting the way 3D content is handled by Microsoft software.
The patches were out-of-band, meaning they were outside of Microsoft’s regularly scheduled Patch Tuesday updates. For its April 2020 Patch Tuesday updates, Microsoft disclosed 113 vulnerabilities – including 19 rated as critical, and 94 rated as important, and three being exploited in the wild.
Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.