On April 15, Autodesk released a security advisory, ADSK-SA-2020-0002, to address six vulnerabilities in the Autodesk Filmbox (FBX) Software Development Kit, which “allows application and content vendors to transfer existing content into the FBX format with minimal effort.”
In response to Autodesk’s advisory, Microsoft issued an out-of-band advisory, ADV200004, on April 21, as the FBX library is integrated into specific versions of Microsoft Office, Office 365 ProPlus and Paint 3D.
Commenting on this Ryan Seguin, Research Engineer at Tenable said, “The Autodesk ADSK-SA-2020-0002 vulnerabilities are Denial of Service and Arbitrary Code Execution flaws in the FBX library.
“If exploited, these vulnerabilities could allow an attacker to run code on an affected system with the same user permissions as that of the person who opened the malicious file. This means that less privileged users restrict the impact of exploitation. The threat changes significantly if someone with administrative rights opens the malicious file, as this would result in the attacker gaining privileged permissions.
“Autodesk has already released updates for its affected products, while Microsoft has posted an out of band advisory page confirming it will make patches available in due course for affected MS office products. Microsoft has labeled this as a remote code execution vulnerability; however, it’s important to note that this vulnerability requires a user to open a malicious file, which is not remote execution.
“Some may question how Microsoft Office is vulnerable to an Autodesk vulnerability. It’s not poor security practices on Microsoft’s part by any means, but vulnerabilities like these are a good example of how incorporating another group’s tools and code means that you also incorporate their vulnerabilities into your own product – in this case, Microsoft Office, Office 365 ProPlus, and Paint 3D. Microsoft hasn’t given a timetable for when its patches will be released, but if this advisory follows the same pattern as previous MS advisories, we’ll see a patch release in May’s Patch Tuesday.”
