CVE-2024-20677

Published: Jan 9, 2024Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: secure@microsoft.com (Secondary)

Description

A security vulnerability exists in FBX that could lead to remote code execution. To mitigate this vulnerability, the ability to insert FBX files has been disabled in Word, Excel, PowerPoint and Outlook for Windows and Mac. Versions of Office that had this feature enabled will no longer have access to it. This includes Office 2019, Office 2021, Office LTSC for Mac 2021, and Microsoft 365. As of February 13, 2024, the ability to insert FBX files has also been disabled in 3D Viewer. 3D models in Office documents that were previously inserted from a FBX file will continue to work as expected unless the Link to File option was chosen at insert time. This change is effective as of the January 9, 2024 security update.

Affected (4)

Products: Microsoft: 365 Apps, Office, Office Long Term Servicing Channel

Microsoft

3 products

365 Apps

Office

Office Long Term Servicing Channel

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Microsoft 365 Apps	All versions
Microsoft Office	Version 2019
Microsoft Office Long Term Servicing Channel	Version 2021
Microsoft Office Long Term Servicing Channel	Version 2021

Related CWEs

CWE-122

Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

References (2)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20677

Source: secure@microsoft.com

PatchVendor Advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20677

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.