Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2020.0090 Availability of updates for Microsoft software utilizing theAutodesk FBX library 22 April 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Office 2013 Click-to-Run for 32 + 64-bit editions Microsoft Office 2013 for 32 + 64-bit editions Office 365 ProPlus for 32-bit + 64 bit Systems Paint 3D Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-7085 CVE-2020-7084 CVE-2020-7083 CVE-2020-7082 CVE-2020-7081 CVE-2020-7080 Member content until: Friday, May 22 2020 OVERVIEW Microsoft is announcing the release of updates to address multiple vulnerabilities found in the Autodesk FBX library which is integrated into certain Microsoft applications. [1] IMPACT Microsoft has given the following details regarding this vulnerability: "Remote code execution vulnerabilities exist in Microsoft products that utilize the FBX library when processing specially crafted 3D content. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerabilities, an attacker must send a specially crafted file containing 3D content to a user and convince them to open it. The security updates address these vulnerabilities by correcting the way 3D content is handled by Microsoft software." [1] AutoDesk detail the vulnerabilities as follows: "1) CVE-2020-7080: A user may be tricked into opening a malicious FBX file which may exploit a buffer overflow vulnerability in FBX's SDK causing it to run arbitrary code on the system. 2) CVE-2020-7081: A user may be tricked into opening a malicious FBX file which may exploit a type confusion vulnerability in FBX's SDK causing it to read/ write out-of-bounds memory location or run arbitrary code on the system or lead to denial-of-service. 3) CVE-2020-7082: A user may be tricked into opening a malicious FBX file which may exploit a use-after-free vulnerability in FBX's SDK causing the application to reference a memory location controlled by an unauthorized third party, thereby running arbitrary code on the system. 4) CVE-2020-7083: The user may be tricked into opening a malicious FBX file which may exploit an integer overflow vulnerability in FBX's SDK causing the application to crash leading to a denial of service. 5) CVE-2020-7084: The user may be tricked into opening a malicious FBX file which may exploit a Null Pointer Dereference vulnerability in FBX's SDK causing the application to crash leading to a denial of service. 6) CVE-2020-7085: The user may be tricked into opening a malicious FBX file which would invoke the heap overflow vulnerable FBX parser to obtain a limited code execution by altering certain values in a FBX file, causing the application to run arbitrary code on the system." [2] MITIGATION Refer to the Security Updates table on the ADV200004 page. [1] For third party developers who use the FBX-SDK in their applications or services, Autodesk highly recommends they obtain and apply the latest version of the FBX-SDK from the update source listed above.[2] REFERENCES [1] ADV200004 | Availability of updates for Microsoft software utilizing the Autodesk FBX library https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200004 [2] Security advisory: Vulnerabilities in the Autodesk FBX Software Development Kit https://www.autodesk.com/trust/security-advisories/adsk-sa-2020-0002 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXp/l/2aOgq3Tt24GAQg8Eg/+M0vFh57e9AhWCnXl/c1GmBNSpH0fv48Q BUfWj3c9Oku6ZiloUiqJfSMXX+jbgdWMVtLd29rRlhHC2fPevGJsJCA3nwBBx5n2 kAC/XmPtia1UUheb04a1XezB+pcpnVqdrcBBVc5f/cRG0+yvgBpwJ0tBelguXDYn 0/BYW0AXHBQrrSW/1u+615mwsxqyUjxnO/QMZ9/5LREuihCUePY+4ptmXbUojX0b 6Io7Jzy+MudCIdhdqEsRyPFM1TpaiWgshyq228+EeTiX9H4tDKz2BuLLKuoBBla6 LQUSNyEQy9REK1nnzGp/SY/L/GJ2Ov10WlShkxoIBHbk3Xg9W4SHWF+nspQ80p8h VabUo1w0RG7YfXPBDeY/QsLJatY1GZl7fggGl85FBhgECE8Qk73gtHdUyEOApD+2 zFHl+jX4HXCrt962kXvdMkqyzZzorEcAYGz76Iy7C7mfo6nHMGBNIMEGelnmLK7b YG6phMzq3bCri/SPAS+xA4l3vRout2NqpkmrmOSww+dfZfx86oKjmBHAHHQn7mv0 HXa9HMgX8zu6iSRAwf/I+iNk2ddUvgqoodMzEIqqwrbDq75xVvPO2eqR6uizgFW5 7bXvuiGM6Copp1Odm98FdntgMBnXBhD/nmCwNO5e37F39v3ni3UpvMQWAwAGHtKh xd8buReq088= =hjKf -----END PGP SIGNATURE-----