Autodesk, MS Office, Paint 3D vulnerability affects millions of devices

Just days after Microsoft released its update package for the month of April the company issued a new set of security patches to fix various vulnerabilities in the Office suite that could be exploited by threat actors to execute remote code.

The company also released a security update for the Paint 3D tool, as the flaw relates to a component shared by the Office suite and editing software: Autodesk’s FBX library.

Autodesk is recognized as the developer of AutoCAD, although it has many other products widely used by architects, engineers, creators of digital content, among others. In total, six vulnerabilities were fixed in its software development kit (FBX SDK).

These failures can be exploited by tricking a user into opening a specially designed FBX file, which would lead to a denial of service (DDoS) condition and arbitrary code execution. Because the Autodesk FBK library is built into vulnerable applications specially designed 3D content processing could trigger exploitation.

In a security report, Microsoft mentions: “A threat actor who successfully exploited these vulnerabilities could get the same user rights as the local user; on the other hand, a user with fewer privileges on the system might be less affected.”

Any attacker who wanted to exploit these vulnerabilities would have to send a specially crafted file to the target user. Further, this file must contain some 3D design, not forgetting that the hacker must still trick the user into opening the file, as it is not enough for the target user to interact with a preview of the malicious file to start the attack.    

In addition to downloading the file, hackers do not require the user to perform additional actions, so this is considered to be a serious, if not critical, vulnerability. However, it is necessary to note that there are multiple ways to trick a user into downloading a malicious file, so it is necessary to remain in the expectation of potential attacks.

Alternative methods to mitigate the risk of exploiting this failure are currently not known, so users of exposed deployments are advised to wait for the release of official security updates.