Users of several Microsoft services are receiving an important security update. Redmond has rolled out patches for Microsoft Office, Office 365, and Paint 3D. According to Microsoft, the updates squash recently discovered bugs in the Autodesk FBX 3D library.
Those named Microsoft services all have integration with the Autodesk, which is a library for the FBX file format for 3D animations. Among those products are Paint 3D Microsoft Office 2016 Click-to-Run, Microsoft Office 2019, and Office 365 ProPlus. All affected Office products are for 32-bit and 64-bit systems.
Microsoft points out the vulnerabilities were “important” and not “critical” even though they would allow bad actors to execute remote code execution attacks through Autodesk FBX. However, attacks would need to have system access as a credentialed local user to affect the Microsoft products.
“Remote code execution vulnerabilities exist in Microsoft products that utilize the FBX library when processing specially crafted 3D content. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
Autodesk confirmed the problem in an advisory last week. The AutoCAD developer says all apps that use FBX-SDK Version 2020.0 or earlier have the bug. There are several vulnerabilities, such as in type confusion, use-after-free, buffer overflow, NULL pointer dereference, integer overflow, and heap overflow vulnerabilities.
Those vulnerabilities are listed as CVE-2020-7081, CVE-2020-7082, CVE-2020-7080, CVE-2020-7084, CVE-2020-7083, and CVE-2020-7085. Specific Autodesk products are directly affected by the bugs, including Motion Builder, AutoCAD, Mudbox, Maya, Fusion, Infraworks, Revit, and Navisworks.
The company thanks Microsoft's Security Response Center Vulnerabilities and Mitigations Team for helping to identify the problems.