Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2020.0090
Availability of updates for Microsoft software utilizing
theAutodesk FBX library
22 April 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Office 2013 Click-to-Run for 32 + 64-bit editions
Microsoft Office 2013 for 32 + 64-bit editions
Office 365 ProPlus for 32-bit + 64 bit Systems
Paint 3D
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-7085 CVE-2020-7084 CVE-2020-7083
CVE-2020-7082 CVE-2020-7081 CVE-2020-7080
Member content until: Friday, May 22 2020
OVERVIEW
Microsoft is announcing the release of updates to address multiple
vulnerabilities found in the Autodesk FBX library which is integrated
into certain Microsoft applications. [1]
IMPACT
Microsoft has given the following details regarding this vulnerability:
"Remote code execution vulnerabilities exist in Microsoft products that
utilize the FBX library when processing specially crafted 3D content.
An attacker who successfully exploited these vulnerabilities could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.
To exploit the vulnerabilities, an attacker must send a specially crafted
file containing 3D content to a user and convince them to open it.
The security updates address these vulnerabilities by correcting the way
3D content is handled by Microsoft software." [1]
AutoDesk detail the vulnerabilities as follows:
"1) CVE-2020-7080: A user may be tricked into opening a malicious FBX file which
may exploit a buffer overflow vulnerability in FBX's SDK causing it to run
arbitrary code on the system.
2) CVE-2020-7081: A user may be tricked into opening a malicious FBX file which
may exploit a type confusion vulnerability in FBX's SDK causing it to read/
write out-of-bounds memory location or run arbitrary code on the system or lead
to denial-of-service.
3) CVE-2020-7082: A user may be tricked into opening a malicious FBX file which
may exploit a use-after-free vulnerability in FBX's SDK causing the application
to reference a memory location controlled by an unauthorized third party,
thereby running arbitrary code on the system.
4) CVE-2020-7083: The user may be tricked into opening a malicious FBX file
which may exploit an integer overflow vulnerability in FBX's SDK causing the
application to crash leading to a denial of service.
5) CVE-2020-7084: The user may be tricked into opening a malicious FBX file
which may exploit a Null Pointer Dereference vulnerability in FBX's SDK causing
the application to crash leading to a denial of service.
6) CVE-2020-7085: The user may be tricked into opening a malicious FBX file
which would invoke the heap overflow vulnerable FBX parser to obtain a limited
code execution by altering certain values in a FBX file, causing the
application to run arbitrary code on the system." [2]
MITIGATION
Refer to the Security Updates table on the ADV200004 page. [1]
For third party developers who use the FBX-SDK in their applications or
services, Autodesk highly recommends they obtain and apply the latest
version of the FBX-SDK from the update source listed above.[2]
REFERENCES
[1] ADV200004 | Availability of updates for Microsoft software
utilizing the Autodesk FBX library
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200004
[2] Security advisory: Vulnerabilities in the Autodesk FBX Software
Development Kit
https://www.autodesk.com/trust/security-advisories/adsk-sa-2020-0002
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXp/l/2aOgq3Tt24GAQg8Eg/+M0vFh57e9AhWCnXl/c1GmBNSpH0fv48Q
BUfWj3c9Oku6ZiloUiqJfSMXX+jbgdWMVtLd29rRlhHC2fPevGJsJCA3nwBBx5n2
kAC/XmPtia1UUheb04a1XezB+pcpnVqdrcBBVc5f/cRG0+yvgBpwJ0tBelguXDYn
0/BYW0AXHBQrrSW/1u+615mwsxqyUjxnO/QMZ9/5LREuihCUePY+4ptmXbUojX0b
6Io7Jzy+MudCIdhdqEsRyPFM1TpaiWgshyq228+EeTiX9H4tDKz2BuLLKuoBBla6
LQUSNyEQy9REK1nnzGp/SY/L/GJ2Ov10WlShkxoIBHbk3Xg9W4SHWF+nspQ80p8h
VabUo1w0RG7YfXPBDeY/QsLJatY1GZl7fggGl85FBhgECE8Qk73gtHdUyEOApD+2
zFHl+jX4HXCrt962kXvdMkqyzZzorEcAYGz76Iy7C7mfo6nHMGBNIMEGelnmLK7b
YG6phMzq3bCri/SPAS+xA4l3vRout2NqpkmrmOSww+dfZfx86oKjmBHAHHQn7mv0
HXa9HMgX8zu6iSRAwf/I+iNk2ddUvgqoodMzEIqqwrbDq75xVvPO2eqR6uizgFW5
7bXvuiGM6Copp1Odm98FdntgMBnXBhD/nmCwNO5e37F39v3ni3UpvMQWAwAGHtKh
xd8buReq088=
=hjKf
-----END PGP SIGNATURE-----