General Vulnerability Statistics
A rise in what are called CVE reports (Common Vulnerabilities and Exposures) since 2020 has been reflected in official statistics (update September 2022: source’s site no longer available). In 2020, according to stack.watch (a web page that sources data from the National Vulnerability Database), a total of 17030 vulnerabilities have been published. By contrast, in 2019 that number was 16090. As for this year, the number is currently at 10971 already and should surpass last year’s figures. Further information from the stack.watch web page indicates that Microsoft Windows 10, Microsoft Windows Server 2016, and Server 2019 were the top three products with reported vulnerabilities, last year (followed by Google Android, Debian Linux, and Microsoft Windows Server 2012 respectively.) Apart from product vulnerabilities, the top three vendors with reported vulnerabilities were Microsoft, Google, and Oracle with Apple coming in at 8th place.
Another Microsoft Vulnerability Discovered
This time, on July 29th, 2021 another vulnerability from software colossus Microsoft has cropped up. Microsoft is no stranger to system vulnerabilities, and this one discovered just recently again affects software vendor Microsoft, specifically one of their products. The latest release information has confirmed a code execution vulnerability in Microsoft’s 3D Viewer.
What is Microsoft 3D Viewer?
Microsoft’s 3D viewer is a desktop-oriented UWP (Universal Windows Platform) app. It is a 3D object viewer with augmented reality features. According to the official product page, the following description applies to the 3D viewer; “Take any 3D model into the real world—using just the camera on your Windows 10 PC. With 3D Viewer, unleash your imagination with our collection of animated models or view your own 3D model on file.”
More Information About The Vulnerability
On July 29th, 2021 security researchers from Zero Day Initiative published a report on a remote code execution vulnerability in Microsoft’s 3D viewer product. The report is credited to Mat Powell of Trend Micro Zero Day Initiative. The vulnerability can lead to a remote attacker (cybercriminals) compromising a system with the vulnerability. The flaw exists because of a use-after-free error when parsing 3MF files. This translates to a scenario where a remote attacker can trick a victim into opening an illegitimate 3MF file and trigger the use-after-free error. After this process, arbitrary code execution is possible on the vulnerable system. It has been confirmed that vulnerability can be exploited by a non-authenticated attacker on the internet.
The Technical Details
The vulnerability has been marked as a high-risk zero-day flaw. Zero-day vulnerabilities like this are highly dangerous because they are recently exposed security flaws that have no immediate fix. The CVE code is not yet available for this vulnerability. The CWE ID code for this vulnerability is CWE-416. All versions of Microsoft 3D Viewer are confirmed as being affected.
The News so Far
The vulnerability has been reported to Microsoft several times, to no avail. Although they are aware of the issue, Microsoft has not yet released an official update (patch) to mitigate it. A public release report has been available to the public. Zero Day Initiative recommends that all users ideally limit their interaction with Microsoft 3D Viewer until a fix is released. Microsoft Windows users should check for any Windows Update notifications regarding Microsoft 3D Viewer, as well as check back on the Microsoft 3D Viewer product page for any updates.