Security News > 2020 > April > Update MS Office, Paint 3D to plug RCE vulnerabilities
A week after the April 2020 Patch Tuesday, Microsoft has released out-of-band security updates for its Office suite, to fix a handful of vulnerabilities that attackers could exploit to achieve remote code execution.
At the same time, a security update has also been released for Paint 3D, the company's free app for creating 3D models, because the source of the fixed vulnerabilities is something that both Office and Paint 3D have in common: the Autodesk FBX library.
Since the Autodesk FBX library is integrated into MS Office apps and the Paint 3D app, them processing specially crafted 3D content may lead to remote code execution.
"An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," Microsoft explained.
To exploit the vulnerabilities, an attacker must send a specially crafted file containing 3D content to a user and convince them to open it.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/GTNkOyR17Vg/