Microsoft Office Remote Code Execution Vulnerability
CVE-2024-20677
Summary
A security vulnerability in Microsoft Office products allows for potential remote code execution through FBX file insertion. In response to this risk, Microsoft has disabled the ability to insert FBX files in Office applications, including Word, Excel, PowerPoint, and Outlook, on both Windows and Mac platforms. This change affects versions such as Office 2019, Office 2021, Office LTSC for Mac 2021, and Microsoft 365. As of the January 9, 2024 security update, the option to insert FBX files has also been removed from 3D Viewer. Notably, existing 3D models in Office documents remain functional unless the 'Link to File' option was utilized at the time of insertion.
Affected Version(s)
3D Viewer Unknown 7.0.0 < 7.2401.29012.0
Microsoft 365 Apps for Enterprise 32-bit Systems 16.0.1
Microsoft Office 2019 32-bit Systems 19.0.0
News Articles
MalwarebytesPatch now! First patch Tuesday of 2024 is here | Malwarebytes
Microsoft's patch Tuesday roundup looks like a relatively quiet one. Unless your organization uses FBX files.
1 year ago
Microsoft fixes 48 bugs in January Patch Tuesday, none of them zero-days
Security pros noted that the first Patch Tuesday of 2024 was the second consecutive release by Microsoft with no zero-days.
1 year ago
References
CVSS V3.1
Timeline
- π°
First article discovered by SC Magazine
Vulnerability published
Vulnerability Reserved