Security News > 2020 > April > Patch now! Microsoft issues unexpected Office fix
Well, here's the thing: it seems that the Microsoft Office 2019 and Office 365 ProPlus products from Microsoft include support for FBX files - whether you use FBXes yourself or not - and that the code to process those files comes from Autodesk.
As you probably know, an RCE bug that is present when a vulnerable application processes a booby-trapped file often means that simply opening up or previewing that file could allow crooks to implant malware on your computer.
You typically won't see any of the usual "Do you want to download?" or "This file wants to run a program, are you sure?" warnings, so opening the file will not only feel innocent - as opening up a data file is supposed to be - but also appear innocent, too.
A bug requiring you to click on and open up a rogue file isn't as dangerous as a security hole that can be exploited remotely even when no one's logged in, because you have to be tempted at least to look at the offending item.
Type file explorer in the search bar and launch the Windows File Explorer app; go to the View menu and check the box labelled File Name Extensions.
News URL
https://nakedsecurity.sophos.com/2020/04/24/patch-now-microsoft-issues-unexpected-office-fix/
Related news
- Microsoft discloses Office zero-day, still working on a patch (source)
- Microsoft discloses unpatched Office flaw that exposes NTLM hashes (source)
- Microsoft Warns of Unpatched Office Vulnerability Leading to Data Exposure (source)
- Microsoft August 2024 Patch Tuesday fixes 9 zero-days, 6 exploited (source)
- Microsoft Office 2024 to disable ActiveX controls by default (source)
- Microsoft Is Disabling Default ActiveX Controls in Office 2024 to Improve Security (source)
- Microsoft September 2024 Patch Tuesday fixes 4 zero-days, 79 flaws (source)
- Patch Tuesday for September 2024: Microsoft Catches Four Zero-Day Vulnerabilities (source)
- Microsoft rolls out Office LTSC 2024 for Windows and Mac (source)
- Microsoft confirms IE bug squashed in Patch Tuesday was exploited zero-day (source)