b2b-daily
Home | IT | Cyber Security

Microsoft 365’s Inclusion of SketchUp 3D Library Reveals Numerous Vulnerabilities

Avatar photo
by Paige Williams
November 2, 2023
Image Credit: Other
Microsoft 365’s Inclusion of SketchUp 3D Library Reveals Numerous Vulnerabilities
Table of Contents
  1. Disclosure of High-Severity Bugs
  2. Impact on Microsoft 365 Users
  3. Discovery of Numerous Vulnerabilities
  4. Severity Assessment by Microsoft
  5. Exploit Scenarios and Precautions
  6. Background on SketchUp

Microsoft’s inclusion of support for the SketchUp 3D Library in Microsoft 365 presents a noteworthy security concern for users. The integration of SketchUp into the cloud-based productivity and collaboration tools has been identified as a vulnerability. This article aims to delve into the disclosure of high-severity bugs, the bypassing of fixes, the impact on Microsoft 365 users, the discovery of multiple vulnerabilities, Microsoft’s assessment of severity, exploit scenarios, and provide background information on SketchUp.

Disclosure of High-Severity Bugs

Last December, researchers from Trend Micro’s Zero-Day Initiative (ZDI) revealed four high-severity remote code execution bugs in Microsoft 365. These bugs specifically affected the parsing of SketchUp files within the software suite. Microsoft promptly assigned three CVE (Common Vulnerabilities and Exposures) identifiers – CVE-2023-28285, CVE-2023-29344, and CVE-2023-33146 – and released patches to address these vulnerabilities in the May and June security updates.

Despite the patches, ThreatLabz researchers managed to develop a bypass for the fixes, prompting Microsoft to disable support for SketchUp in June of 2023. Initially described as a temporary measure, support for SketchUp remains disabled in Microsoft 365. This disabling emphasizes the severity of the vulnerabilities associated with SketchUp integration within the software suite.

Impact on Microsoft 365 Users

SketchUp is one of the most widely used formats available to Microsoft 365 users for inserting 3D files into applications such as Word, Excel, Outlook, and PowerPoint. Its popularity makes the vulnerabilities all the more concerning as it increases the potential attack surface for hackers aiming to exploit the weaknesses. Users must exercise caution when dealing with SketchUp files and consider alternative 3D file formats to mitigate the risks.

Discovery of Numerous Vulnerabilities

The Zscaler ThreatLabz researchers uncovered a staggering 117 vulnerabilities related to SketchUp when analyzing the dynamic link library responsible for parsing 3D file formats in Microsoft 365 apps. This discovery demonstrates the extent to which the integration of SketchUp has introduced potential avenues for attackers to exploit the software suite’s security.

Severity Assessment by Microsoft

After assessing the vulnerabilities, Microsoft classified them as being of important severity, which is marginally lower in terms of remediation priority than critical severity bugs. This classification emphasizes the significance of addressing these vulnerabilities promptly to ensure the overall security of Microsoft 365 and its users.

Exploit Scenarios and Precautions

Microsoft has described the vulnerabilities as issues that attackers can only exploit by tricking potential victims into running malicious files. This underscores the need for users to exercise caution when handling SketchUp files and to be vigilant against potential phishing attempts or other social engineering tactics that may lead to the execution of such files.

Background on SketchUp

SketchUp was first developed by @Last Software in 2000 and later transitioned to Google in 2006. It is now owned by Trimble Navigation. Over the years, SketchUp has become one of the most widely recognized and utilized 3D modeling tools available. Its versatility and ease of use have made it popular among professionals and amateur designers alike, contributing to its prominence in the 3D file format landscape.

The integration of SketchUp within Microsoft 365’s suite of cloud-based productivity and collaboration tools has unintentionally exposed users to numerous vulnerabilities. Despite patches released by Microsoft, the bypass discovered by ThreatLabz researchers forced the company to temporarily disable support for SketchUp. The discovery of 117 vulnerabilities highlights the potential risks associated with this integration. Microsoft’s classification of the vulnerabilities as being of high severity reinforces the need for users to remain vigilant and adopt additional security measures when handling SketchUp files. As Microsoft works to address these vulnerabilities, users must prioritize security to ensure the safety of their data and systems within the Microsoft 365 environment.

Information SecurityMicrosoft

Explore more

AI Infrastructure Costs Drive a Shift to Hybrid Cloud Models
June 2, 2026

The sudden realization that the physical infrastructure required for generative artificial intelligence is fundamentally different from traditional software-as-a-service workloads has sent ripples through the global tech industry. For over a decade, the migration toward a cloud-first strategy seemed like an inevitable path for every modern enterprise, promising infinite scalability without the burden of maintaining heavy hardware. However, as the computational

How Secure Is Your Data Journey on Public Wi-Fi?
June 2, 2026

A single click on a smartphone in a crowded airport terminal initiates a sophisticated sequence of events that most users never fully consider while they are simply sipping their morning coffee or waiting for their next flight. This digital transmission does not simply vanish into the air; instead, it undergoes a transformation into complex radio frequency signals that must navigate

Smart 6G Boosts Medical Application Capacity by 40 Percent
June 2, 2026

The integration of sixth-generation wireless technology into modern healthcare infrastructures has fundamentally altered the paradigm of patient care by offering unprecedented bandwidth and latency improvements that were previously considered unattainable in dense urban environments. This leap in connectivity is not merely an incremental update but a structural revolution that addresses the growing demand for high-fidelity data transmission in real-time medical

Is X-VPN Truly Private? Inside the Big Four No-Logs Audit
June 2, 2026

The rapid escalation of sophisticated surveillance techniques in early 2026 has forced digital privacy tools to transition from simple marketing promises to verifiable technical realities that withstand the scrutiny of professional auditors. X-VPN recently responded to this growing demand for transparency by commissioning an extensive independent no-logs audit from a Big Four firm, marking a significant shift in how the

MoneyGram Launches MGUSD Stablecoin on Stellar Blockchain
June 2, 2026

The global financial landscape is currently undergoing a massive transformation where traditional money transfer services are merging with decentralized finance to solve long-standing liquidity issues and infrastructure gaps. For decades, moving money across borders involved a series of intermediary banks, high fees, and significant delays that disproportionately affected underbanked populations. However, the rise of blockchain technology has introduced a faster