Microsoft has released an out-of-band security update that fixes remote code execution vulnerabilities in an Autodesk FBX library integrated into Microsoft Office and Paint 3D applications.
Last month, Autodesk issued security updates for their Autodesk FBX Software Development Kit that resolves remote code execution and denial of service vulnerabilities caused by specially crafted FBX files.
An FBX file is an Autodesk file format that is used to store 3D models, assets, shapes, and animations.
To exploit these vulnerabilities, an attacker would create a malicious FBX file that would exploit “buffer overflow, type confusion, use-after-free, integer overflow, NULL pointer dereference, and heap overflow vulnerabilities” to perform a DoS attack or remotely execute code.
Microsoft Office uses the Autodesk FBX library
As the Microsoft Office 2016, Microsoft 2019, Office 365, and Paint 3D applications utilize the Autodesk FBX library, Microsoft has released today new security updates that resolve these remote code execution and DoS vulnerabilities in their products.
In an advisory titled “ADV200004 | Availability of updates for Microsoft software utilizing the Autodesk FBX library”, Microsoft explains that opening malicious FBX files in Office applications could lead to remote code execution.