Vulnerabilities have been revealed in multiple Microsoft applications, leading to an emergency ‘out-of-band’ security update advisory. Here’s what you need to know.
The second Tuesday of each month, known colloquially as Patch Tuesday, is when Microsoft releases a swathe of security updates to users of the Windows operating system. The most recent of these, distributed on April 14, included no less than 133 vulnerabilities across a range of Microsoft products. Amongst these, there were patches for seven critical vulnerabilities for Windows 10.
Microsoft has now released an emergency out of band update advisory regarding a 3D graphics attack issue that could allow an attacker to arbitrarily execute code if successful. As the out of band name suggests, these security advisories are few and far between and so deserving of the emergency update moniker. The last I reported on here was back in March and related to a critical vulnerability affecting Windows 10 users known as SMBGhost.
The 3D graphics attack vulnerability explained
The 3D graphics attack vulnerability, actually there are a total of six of them wrapped up in that description, only gets an ‘important’ rating rather than a critical one. However, a successful attack could enable arbitrary code to be executed with all the malware and machine control implications that brings. “If exploited, these vulnerabilities could allow an attacker to run code on an affected system with the same user permissions as that of the person who opened the malicious file,” Ryan Seguin, a research engineer at Tenable, said. So, while users with lower privileges will restrict the amount of damage an attack could do, “the threat changes significantly if someone with administrative rights opens the malicious file, as this would result in the attacker gaining privileged permissions,” according to Seguin.
Microsoft confirms products that could be impacted by the 3D graphics attack
The Microsoft security advisory revealed that the vulnerabilities exist in the Autodesk Filmbox FBX file format library. A 3D animations graphics library that is integrated into various Microsoft applications. “Remote code execution vulnerabilities exist in Microsoft products that utilize the FBX library when processing specially crafted 3D content,” the advisory explains. The full details of the six vulnerabilities can be found in an Autodesk security advisory dated April 15. The same date as when the Microsoft product updates were distributed, the release notes linked to in the Microsoft security advisory would suggest.
In order to exploit these vulnerabilities in a 3D attack scenario, the attacker would need to send maliciously created files containing 3D content that a user would have to open. Not a particularly difficult thing in the current lockdown climate where we are all bored and looking for something to do. The products affected are Microsoft Office 2106 Click-to-Run, Microsoft Office 2019, Office 365 ProPlus and Paint 3D. “Some may question how Microsoft Office is vulnerable to an Autodesk vulnerability,” Ryan Seguin said, “it’s not poor security practices on Microsoft’s part by any means, but vulnerabilities like these are a good example of how incorporating another group’s tools and code means that you also incorporate their vulnerabilities into your own product.”
The Microsoft advisory is also a good example of how carefully timed and responsible disclosure, with different vendors working together, can help to protect users in advance of threat actors being able to exploit such vulnerabilities.