Microsoft issues out-of-band Office and Paint 3D security updates to stop 3D graphic attack

Microsoft Office, Office 365 ProPlus, and Paint 3D affected by multiple bugs in Autodesk 3D software.
Written by Liam Tung, Contributing Writer

Microsoft has released important security updates for Office, Office 365 ProPlus, and Paint 3D products to address multiple newly disclosed bugs in Autodesk's library for the FBX file format for 3D animations. 

The updates affect Microsoft products that integrate the Autodesk FBX 3D library, which include Microsoft Office 2016 Click-to-Run (C2R) for 32-bit and 64-bit editions, Microsoft Office 2019 for 32-bit and 64-bit editions, and Office 365 ProPlus for 32-bit and 64-bit systems, as well as Paint 3D. 

While the fixes are only rated 'important', the vulnerabilities in the Autodesk FBX library do allow remote code execution on affected products. 

SEE: 10 tips for new cybersecurity pros (free PDF)

However, to exploit the bugs, the attacker would need to send victims a malicious 3D FBX file and trick them into opening it. 

The attacker would then gain the same user rights as the local user. Microsoft notes that accounts with fewer rights on the system could be less affected than those with administrative rights. 

Autodesk, the maker of the widely used AutoCAD software, revealed in an advisory last Wednesday that applications and services that use the FBX-SDK Version 2020.0 or earlier are affected by buffer overflow, type confusion, use-after-free, integer overflow, NULL pointer dereference, and heap overflow vulnerabilities.   

The vulnerabilities are tracked as CVE-2020-7080, CVE-2020-7081, CVE-2020-7082, CVE-2020-7083, CVE-2020-7084, and CVE-2020-7085. 

Max Van Amerongen, an F-Secure researcher reported CVE-2020-7085, the heap overflow bug, to Autodesk. He's posted a video demonstration of his proof-of-concept exploit for the bug on Twitter. 

The bugs affected several other Autodesk products, including AutoCAD, Maya, Motion Builder, Mudbox, 3ds Max, Fusion, Revit, Infraworks, and Navisworks.  

Autodesk also thanked the Microsoft Security Response Center Vulnerabilities and Mitigations Team for their partnership. 

UPDATE May 6:  Autodesk released an update to the security advisory on April 28, in which it removed Revit from the list of affected products. 

Editorial standards