More Than 100 Vulns in Microsoft 365 Tied to SketchUp 3D Library

While Microsoft patched the issues in June, support for SketchUp appears to remain disabled in Microsoft 365.

3 Min Read
Logos of Microsoft 365 apps on laptop screen
Source: monticello via Shutterstock

Microsoft's move to include support in Microsoft 365 for the SketchUp 3D Library in June 2022 appears to have introduced numerous vulnerabilities in the company's suite of cloud-based productivity and collaboration tools.

The latest evidence of that is a report this week from ZScaler's ThreatLabz on the security vendor's discovery of as many as 117 unique vulnerabilities in Microsoft 365 via SketchUp within just a three-month period of poking at the technology.

Last December, researchers from Trend Micro's Zero-Day Initiative (ZDI) disclosed four high-severity remote code execution bugs in Microsoft 365 related to SketchUp file parsing. It was ZDI's research that prompted Zscaler's ThreatLabz investigation and subsequent discovery of the new set of bugs earlier this year.

Microsoft assigned three CVE identifiers collectively for the bugs — CVE-2023-28285, CVE-2023-29344, and CVE-2023-33146 — and released patches for them in its May and June security updates. However, ThreatLabz researchers were able to develop a bypass for the fixes, prompting Microsoft to disable support for SketchUp in June 2023. Though the company at the time had described the disablement as a temporary measure, support for SketchUp appears to remain disabled in Microsoft 365.

"The ability to insert SketchUp graphics (.skp files) has been temporarily disabled in Word, Excel, PowerPoint and Outlook for Windows and Mac," Microsoft noted in a June 1, 2023 update on SketchUp. "Versions of Office that had this feature enabled will no longer have access [to] it. 3D models in Office documents that were previously inserted from a SketchUp file will continue to work as expected unless the Link to File option was chosen at insert time." Microsoft 365 includes the vendor's Office apps.

Microsoft did not immediately respond to a request seeking clarification on the current status of SketchUp support in Microsoft 365.

Latest CVEs Labeled 'Important'

CVE-2023-28285, CVE-2023-29344, and CVE-2023-3314 are all remote code execution bugs tied to SketchUp (.skp) file parsing, just like the bugs that ZDI discovered last December. Microsoft has assessed the vulnerabilities as being of important severity, which typically is one notch lower, from a remediation priority standpoint, than critical severity bugs. The company described all three sets of vulnerabilities as issues that an attacker could exploit only by tricking potential victims into running malicious files.

SketchUp is one of the more widely used of seven formats that Microsoft 365 users can choose from to insert 3D files into Windows and Mac versions of Word, Excel, Outlook, and PowerPoint. The other formats include Binary GL Transmission Format (*.glb); Filmbox Format (*.fbx); Object Format (*.obj); and Polygon Format (*.ply). SketchUp was first developed by @Last Software in 2000, transitioned to Google in 2006, and now is owned by Trimble Navigation.

Zscaler ThreatLabz researchers discovered the 117 SketchUp-related vulnerabilities when analyzing a dynamic link library that is responsible for parsing 3D file formats in Microsoft 365 apps, according to Kai Lu, a senior researcher with the security vendor. "In particular, we discovered Microsoft leveraged a series of SketchUp C APIs to implement the functionality to parse an SKP file," Lu said, in his blog on discovering the vulnerabilities this week. Reverse-engineering the functionality led to the discovery of several exploitable issues in the software, the security researcher said.

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights