CVE-2024-20677: 
vulnerability analysis and mitigation

CVE-2024-20677 is a remote code execution vulnerability discovered in Microsoft Office's FBX file handling functionality. The vulnerability affects multiple Microsoft Office products including Office 2019, Office 2021, Office LTSC for Mac 2021, and Microsoft 365 Apps for Enterprise. The issue was disclosed on January 9, 2024, with a CVSS score of 7.8 (High) (NVD).

The vulnerability exists within the parsing of FBX files and results from the lack of validating the existence of an object prior to performing operations on the object. It has been classified as a use-after-free vulnerability that could lead to remote code execution. The CVSS vector string is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access is required with user interaction (ZDI).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code in the context of the current process. The attack requires user interaction, specifically opening a malicious file containing specially crafted FBX 3D model files (Arctic Wolf).

Microsoft has addressed this vulnerability by disabling the ability to insert FBX files in Word, Excel, PowerPoint, and Outlook for Windows and Mac. As of February 13, 2024, the ability to insert FBX files has also been disabled in 3D Viewer. Previously inserted 3D models from FBX files will continue to work as expected unless the Link to File option was chosen at insert time (NVD).