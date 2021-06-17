Paint 3D is the tool that Microsoft launched in its day to replace the popular Paint, the evolution of one of the most important functions of Windows that has been with us since we almost have memory and a successor that we now know, has been subject to a vulnerability until recently.

The truth is that Paint 3D has never enjoyed the popularity of its predecessor and that is why it draws attention when it is news like now. And it is that ZDI researchers have discovered that it suffers from a failure that can allow remote code execution on our computers.

A medium-grade vulnerability

Focused on use in mixed reality worlds and the creation of 3D content and although it is not included by default in Windows 11, it can be downloaded from the Microsoft Store at this link.

And now, researchers at ZDI (Zero Day Initiative) have discovered a security breach that could allow remote code execution in 3D modeling software. A failure that, yes, has been fixed by Microsoft on Patch Tuesday in June.

The vulnerability, which was discovered by fuzzing, requires a user to upload a compromised file, a bug that appears with the key CVE-2021-31946:

“This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Paint 3D. User interaction is required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file.”

Thanks to this flaw, an attacker could use this vulnerability to run code in the context of the current process with low integrity, although and since it requires that the attacker has already escalated his privileges on his system, it was considered medium severity.

Microsoft has released an update that fixes the bug, a security breach that was notified to the company on February 2, 2021 and that it was announced on June 6 following the established protocol.

Paint 3D Download it at: Microsoft Store

Price: Free

Category: Productivity

Via | MSPU