More Than 100 Vulns in Microsoft 365 Tied to SketchUp 3D Library

Microsoft's move to include support in Microsoft 365 for the SketchUp 3D Library in June 2022 appears to have introduced numerous vulnerabilities in the company's suite of cloud-based productivity and collaboration tools.

The latest evidence of that is a report this week from ZScaler's ThreatLabz on the security vendor's discovery of as many as 117 unique vulnerabilities in Microsoft 365 via SketchUp within just a three-month period of poking at the technology.

Last December, researchers from Trend Micro's Zero-Day Initiative (ZDI) disclosed four high-severity remote code execution bugs in Microsoft 365 related to SketchUp file parsing. It was ZDI's research that prompted Zscaler's ThreatLabz investigation and subsequent discovery of the new set of bugs earlier this year.

Microsoft assigned three CVE identifiers collectively for the bugs — CVE-2023-28285, CVE-2023-29344, and CVE-2023-33146 — and released patches for them in its May and June security updates. However, ThreatLabz researchers were able to develop a bypass for the fixes, prompting Microsoft to disable support for SketchUp in June 2023. Though the company at the time had described the disablement as a temporary measure, support for SketchUp appears to remain disabled in Microsoft 365.

"The ability to insert SketchUp graphics (.skp files) has been temporarily disabled in Word, Excel, PowerPoint and Outlook for Windows and Mac," Microsoft noted in a June 1, 2023 update on SketchUp. "Versions of Office that had this feature enabled will no longer have access [to] it. 3D models in Office documents that were previously inserted from a SketchUp file will continue to work as expected unless the Link to File option was chosen at insert time." Microsoft 365 includes the vendor's Office apps.

Microsoft did not immediately respond to a request seeking clarification on the current status of SketchUp support in Microsoft 365.

Latest CVEs Labeled 'Important'

CVE-2023-28285, CVE-2023-29344, and CVE-2023-3314 are all remote code execution bugs tied to SketchUp (.skp) file parsing, just like the bugs that ZDI discovered last December. Microsoft has assessed the vulnerabilities as being of important severity, which typically is one notch lower, from a remediation priority standpoint, than critical severity bugs. The company described all three sets of vulnerabilities as issues that an attacker could exploit only by tricking potential victims into running malicious files.

SketchUp is one of the more widely used of seven formats that Microsoft 365 users can choose from to insert 3D files into Windows and Mac versions of Word, Excel, Outlook, and PowerPoint. The other formats include Binary GL Transmission Format (*.glb); Filmbox Format (*.fbx); Object Format (*.obj); and Polygon Format (*.ply). SketchUp was first developed by @Last Software in 2000, transitioned to Google in 2006, and now is owned by Trimble Navigation.

Zscaler ThreatLabz researchers discovered the 117 SketchUp-related vulnerabilities when analyzing a dynamic link library that is responsible for parsing 3D file formats in Microsoft 365 apps, according to Kai Lu, a senior researcher with the security vendor. "In particular, we discovered Microsoft leveraged a series of SketchUp C APIs to implement the functionality to parse an SKP file," Lu said, in his blog on discovering the vulnerabilities this week. Reverse-engineering the functionality led to the discovery of several exploitable issues in the software, the security researcher said.