Patch now! Microsoft issues unexpected Office fix

栏目: IT技术 · 发布时间: 4年前

内容简介:Microsoft just issuedAt first glance, you might be inclined to read just the headline and skip on by because you don’t use FBX files or you don’t have any Autodesk software products.

Patch now! Microsoft issues unexpected Office fix

Microsoft just issued Security Advisory ADV200004 , entitled Availability of updates for Microsoft software utilizing the Autodesk FBX library .

At first glance, you might be inclined to read just the headline and skip on by because you don’t use FBX files or you don’t have any Autodesk software products.

We’ll be honest and admit we hadn’t even heard of FBX files until now, let alone created one – the abbreviation is short for Filmbox , and it’s a proprietary format owned by Autodesk that is used to save motion capture data along with audio and video streams.

Autodesk is probably still best-known for its AutoCAD computer aided drawing software, but it has a huge range of products for video rendering, game creation and more, where the FBX file format is right at home.

Well, Autodesk just published its own Security Advisory ADSK-SA-2000-0002 , “ Vulnerabilities in the Autodesk FBX Software Development Kit “.

This advisory announces fixes for six different security bugs denoted CVE-2020-7080 to CVE-2020-7085 consecutively.

Announced as they are at the same time, these vulnerabilities sound like the sort of multi-bug fix that sometimes emerges after a concerted burst of reviewing and testing existing code to improve it, and if so it sounds as though the review was both extensive and worthwhile.

These vulnerabilities are due to a range of different programming errors that often creep into code that handles complex data objects stored in a binary format, namely: buffer overflow, type confusion, use after free, integer overflow and null pointer dereference.

Well, here’s the thing: it seems that the Microsoft Office 2019 and Office 365 ProPlus products from Microsoft include support for FBX files – whether you use FBXes yourself or not – and that the code to process those files comes from Autodesk.

Therefore the latest versions of Office inherit these six CVE-tagged vulnerabilities from Autodesk, and five out of six of them are listed as allowing RCE, short for remote code execution .

Click to run

As you probably know, an RCE bug that is present when a vulnerable application processes a booby-trapped file often means that simply opening up or previewing that file could allow crooks to implant malware on your computer.

You typically won’t see any of the usual “do you want to download?” or “this file wants to run a program, are you sure?” warnings, so opening the file will not only feel innocent – as opening up a data file is supposed to be – but also appear innocent, too.

In other words, a crook could email you an FBX file – a file that isn’t a program and isn’t supposed to be a program – that puts you at risk of what Microsoft calls click to run .

A click-to-run bug isn’t quite as dangerous as a security hole that can be exploited remotely even when no one’s logged in, because you have to be tempted at least to look at the offending item.

But a click-to-run attack is much more dangerous than, say, a document file containing macros that have to be authorised as a second step after the document is opened.

And even if you think you’d never open an FBX file because it sounds unimportant or irrelevant, remember that:

  • Crooks rarely send one phishing email at a time. Even if crooks aren’t directly targeting your company, their spam database probably contains multiple email entries for every company domain on the list anyway. The crooks don’t have to trick everyone – they can target anyone and win if they trick someone.
  • Windows doesn’t show file extensions by default. A file called something.text.fbx will typically be displayed as something.text , which has a deceivingly safe look to it.

What to do?

Microsoft’s advisory states that it has “not identified any mitigating factors [or] workarounds for [these vulnerabilities]”.

So you know what we’re going to say, so we’ll say it quickly: Patch early, patch often .

And if you are an Autodesk customer, don’t forget to check for updates to affected Autodesk products.

The Autodesk list includes various verisons of: the FBX Software Development Kit (which is presumably how these bugs ended up in Office), Maya, Motion Builder, Mudbox, 3ds Max, Fusion, Revit, Flame, Infraworks, Navisworks and Autodesk AutoCAD.

One more thing

While you’re about it – because you can! – we recommend telling Windows not to suppress file extensions.

You might not yet know that files ending .JS (JavaScript) are actually programs rather than data files, and are generally very risky to open up directly on your computer.

But there’s a irony that once you do know what .JS files are, Windows doesn’t make it easy for you to use that knowledge to protect yourself.

Type file explorer in the search bar and launch the Windows File Explorer app; go to the View menu and check the box labelled File Name Extensions .

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud .


以上所述就是小编给大家介绍的《Patch now! Microsoft issues unexpected Office fix》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

Understanding Computation

Understanding Computation

Tom Stuart / O'Reilly Media / 2013-6-3 / USD 39.99

Finally, you can learn computation theory and programming language design in an engaging, practical way. Understanding Computation explains theoretical computer science in a context you'll recognize, ......一起来看看 《Understanding Computation》 这本书的介绍吧!

在线进制转换器
在线进制转换器

各进制数互转换器

URL 编码/解码
URL 编码/解码

URL 编码/解码

RGB CMYK 转换工具
RGB CMYK 转换工具

RGB CMYK 互转工具