14 DAY TRIAL // Microsoft has released an emergency security update to resolve multiple vulnerabilities impacting Microsoft Office and Windows 10 app Paint 3D.
The security flaws exist in Microsoft applications that use the Autodesk FBX library, with Autodesk itself rolling out patches for the affected products on April 15.
Microsoft explains in its advisory that an attacker that manages to exploit the said vulnerabilities would be able to obtain the same rights as the logged-in user, which means that a malicious actor could even get administrator privileges on a compromised machine.
If this happen, it’s pretty clear that an attacker would technically have full control over the hacked system.
“Remote code execution vulnerabilities exist in Microsoft products that utilize the FBX library when processing specially crafted 3D content. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft explains.
Affected products
But what’s important to know is that in order to launch an attack, the malicious actor needs to deploy a crafted 3D file on an unpatched host, so as long as you stay away from untrusted files, you should be completely secure until the fix is deployed.
“To exploit the vulnerabilities, an attacker must send a specially crafted file containing 3D content to a user and convince them to open it. The security updates address these vulnerabilities by correcting the way 3D content is handled by Microsoft software,” Microsoft says.
The security vulnerability has been given an “Important” severity rating for both Microsoft Office and Paint 3D. As far as the productivity suite is concerned, Microsoft Office 2016, Microsoft Office 2019, and Office 365 ProPlus are all affected by the vulnerability.