Microsoft has published an advisory warning of multiple vulnerabilities in the Autodesk FBX library, which is integrated into some software including new versions of Microsoft Office.
FBX is short for Filmbox, a file format used to save motion capture data, as well as video and audio streams. The proprietary format is owned by Autodesk and supported in Microsoft Office products including Microsoft Office 2019 and Office 365 ProPlus. Because the code to process these files comes from Autodesk, the latest versions of Office are exposed to six vulnerabilities disclosed in an Autodesk advisory announcing patches for CVE-2020-7080 to CVE-2020-7085.
"These vulnerabilities are due to a range of different programming errors that often creep into code that handles complex data objects, namely: buffer overflow, type confusion, use after free, integer overflow and null pointer dereference," Sophos researchers explain in an analysis.
Five out of the six flaws disclosed are remote code execution vulnerabilities. These exist in Microsoft products that use the FBX library when processing specially crafted 3D content. An attacker who successfully exploited these flaws could achieve the same rights as the local user, Microsoft explains in its advisory. To do this, they could have to send a specially crafted file containing 3D content and convince the recipient to open it.
As Sophos points out in its blog post, a victim won't necessarily see a prompt reading "do you want to download" before they open or preview a bad file. They would have to interact with the malicious content, but they wouldn't see a secondary warning that may raise a red flag.
Read Microsoft's full advisory here.
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.