Microsoft Issues Out-of-band Office And Paint 3D Security Updates To Stop 3D Graphic Attack

The Autodesk ADSK-SA-2020-0002 vulnerabilities are Denial of Service and Arbitrary Code Execution flaws in the FBX library. If exploited, these vulnerabilities could allow an attacker to run code on an affected system with the same user permissions as that of the person who opened the malicious file. This means that less privileged users restrict the impact of exploitation. The threat changes significantly if someone with administrative rights opens the malicious file, as this would result in the attacker gaining privileged permissions. "Autodesk has already released updates for its affected products, while Microsoft has posted an out of band advisory page confirming it will make patches available in due course for affected MS office products. Microsoft has labeled this as a remote code execution vulnerability; however, it’s important to note that this vulnerability requires a user to open a malicious file, which is not remote execution. Some may question how Microsoft Office is vulnerable to an Autodesk vulnerability. It’s not poor security practices on Microsoft’s part by any means, but vulnerabilities like these are a good example of how incorporating another group’s tools and code means that you also incorporate their vulnerabilities into your own product - in this case Microsoft Office, Office 365 ProPlus, and Paint 3D. Microsoft hasn’t given a timetable for when its patches will be released, but if this advisory follows the same pattern as previous MS advisories, we’ll see a patch release in May’s Patch Tuesday.  Read Less