Although, Autodesk is a separate entity known for AutoCAD software. However, Microsoft’s Paint 3D and Office tools have the Autodesk FBX library integrated, and they support FBX files. Therefore, the vulnerabilities also affected Microsoft products.
According to Autodesk’s advisory, as much as six different vulnerabilities existed in the library that affected all applications using FBX-SDK Ver. 2020.0 or earlier.
These include a buffer overflow (CVE-2020-7080), type confusion (CVE-2020-7081), use-after-free (CVE-2020-7082), integer overflow (CVE-2020-7083), NULL pointer dereference (CVE-2020-7084), and heap overflow (CVE-2020-7085) vulnerabilities.
Of these, at least five could allow remote code execution attacks, whereas, the remaining one could create a denial of service.
Consequently, Microsoft also acknowledged the impact of these security bugs on its products. Exploiting the flaws merely required an adversary to lure the victim to open a maliciously crafted file with 3D content. As stated in their advisory,
Remote code execution vulnerabilities exist in Microsoft products that utilize the FBX library when processing specially crafted 3D content. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Although, the tech giant had already released the fixes for Office apps with March and April updates. Users can manually update their Office by opening any office app and following this path: File > Account > Update Options > Update Now.
Fixes for 3D Viewer and Paint 3D are available with 3D Viewer version 7.2003.11022.0, and Paint3D version 6.2003.4017.0 respectively.
