The flaws exist in Autodesk's FBX Software Development Kit, which is supported in Microsoft Office 2019 and Office 365 ProPlus.
Microsoft has published an advisory warning of multiple vulnerabilities in the Autodesk FBX library, which is integrated into some software including new versions of Microsoft Office.
FBX is short for Filmbox, a file format used to save motion capture data, as well as video and audio streams. The proprietary format is owned by Autodesk and supported in Microsoft Office products including Microsoft Office 2019 and Office 365 ProPlus. Because the code to process these files comes from Autodesk, the latest versions of Office are exposed to six vulnerabilities disclosed in an Autodesk advisory announcing patches for CVE-2020-7080 to CVE-2020-7085.
"These vulnerabilities are due to a range of different programming errors that often creep into code that handles complex data objects, namely: buffer overflow, type confusion, use after free, integer overflow and null pointer dereference," Sophos researchers explain in an analysis.
Five out of the six flaws disclosed are remote code execution vulnerabilities. These exist in Microsoft products that use the FBX library when processing specially crafted 3D content. An attacker who successfully exploited these flaws could achieve the same rights as the local user, Microsoft explains in its advisory. To do this, they could have to send a specially crafted file containing 3D content and convince the recipient to open it.
As Sophos points out in its blog post, a victim won't necessarily see a prompt reading "do you want to download" before they open or preview a bad file. They would have to interact with the malicious content, but they wouldn't see a secondary warning that may raise a red flag.
Read Microsoft's full advisory here.
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.
About the Author(s)
You May Also Like
Guarding the Cloud: Top 5 Cloud Security Hacks and How You Can Avoid Them
April 4, 2024Cybersecurity Strategies for Small and Med Sized Businesses
April 11, 2024Defending Against Today's Threat Landscape with MDR
April 18, 2024Securing Code in the Age of AI
April 24, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024Black Hat Asia - April 16-19 - Learn More
April 16, 2024