Skip to main content

Microsoft Office, Paint 3D hit by scary security flaw: What to do

Paint 3D
(Image credit: Microsoft)

Microsoft just pushed out important security updates designed to patch a serious vulnerability in Office 365, Paint 3D and other popular Windows 10 apps. 

As described in a Microsoft security advisory, the flaws stem from the Autodesk FBX library, which is integrated into several Microsoft applications (via ZDNet). Those include Microsoft Office 2019 (32-bit and 64-bit), Office 365 ProPlus (32-bit and 64-bit), Paint 3D and Office 1026 Click-to-Run. 

Microsoft labels the vulnerabilities as "important," and while that's a step down from the maximum "critical" level, the flaw can be exploited remotely to damaging effect. 

"Remote code execution vulnerabilities exist in Microsoft products that utilize the FBX library when processing specially crafted 3D content," the advisory reads. "An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user." 

For an attacker to take control of a system, they would simply send a user a malicious Autodesk FBX file and trick them into opening it. Microsoft notes that users who run the Office programs or Paint 3D with fewer user rights are less at risk than those who operate as an administrator. 

As ZDNet points out, Autodesk, the company behind the FBX file, released its own advisory last Wednesday for six separate high-severity flaws affecting apps that use FBX-SDK Version 2020.0 or earlier. 

The FBX SDK is a free C++ software platform and API toolkit that lets applications transfer existing content into FBX format, which is popular for 3D modeling. 

What to do

Microsoft released updates to patch the vulnerabilities in the apps that use the Autodesk FBX library. If you use any of the aforementioned apps (Office 2019, Paint 3D), make sure they are updated to the latest versions. 

For Office products, visit this webpage for steps to determine which version you are using. If it's not the latest release, consider manually downloading the update. 

If you use Paint 3D (a pre-installed app on Windows 10 PCs), download the latest version from the Microsoft Store.