Microsoft has addressed multiple vulnerabilities in the Autodesk FBX library. The company has issued a security advisory ADV200004 that confirms the availability of updates for Microsoft software utilizing the Autodesk FBX library, which is integrated into certain applications.
Microsoft fixes remote code execution vulnerabilities
Microsoft has acknowledged that remote code execution vulnerabilities exist in applications that make use of the Autodesk FBX library. Applications that use Autodesk FBX library need to process specially crafted 3D content.
In its advisory ADV200004, Microsoft wrote:
“An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user.”
In exploited, these vulnerabilities could help attackers gain unauthorized access to the system with the same right as the local user. However, these vulnerabilities leave a huge impact on users who mainly operate with administrative user rights as compared to those with few user rights in the system.
The vulnerabilities could be exploited by attackers after sending a specially crafted file containing 3D content. This file must be sent to a user who then should open it.
Microsoft says the security updates address these vulnerabilities by correcting the way 3D content is handled by Microsoft applications.
The update applies to the following Microsoft applications:
- 3D Viewer
- Microsoft Office 2019 for 32-bit editions
- Microsoft Office 2019 for 64-bit editions
- Office 365 ProPlus for 32-bit Systems
- Office 365 ProPlus for 64-bit Systems
- Paint 3D.
The latest security advisory, however, released a fix only for 3D Viewer and Paint 3D. As for Office 2019 and Office 365 ProPlus, the vulnerability was fixed in the Microsoft Office cumulative update on March 10, 2020.
As for 3D Viewer and Paint 3D applications, ensure that you have successfully installed the update. All you need to do is go to these apps, navigate to Menu > Settings. The version number appears in the upper right corner under ‘About.’ (7.2003.11022.0 for 3D Viewer and 6.2003.4017.0 for Paint 3D).
Alternatively, go to Start Menu > Locate Paint 3D or 3D Viewer apps > Right-click on the App name to display the options menu > Settings. The installed version number should be listed under ‘Specifications.’
Autodesk is primarily known for AutoCad whereas FBX is short for Filmbox, which is a proprietary format owned by Autodesk that is used to save motion capture data alongside audio and video streams.
