Microsoft 365’s Inclusion of SketchUp 3D Library Reveals Numerous Vulnerabilities

Microsoft’s inclusion of support for the SketchUp 3D Library in Microsoft 365 presents a noteworthy security concern for users. The integration of SketchUp into the cloud-based productivity and collaboration tools has been identified as a vulnerability. This article aims to delve into the disclosure of high-severity bugs, the bypassing of fixes, the impact on Microsoft 365 users, the discovery of multiple vulnerabilities, Microsoft’s assessment of severity, exploit scenarios, and provide background information on SketchUp.

Disclosure of High-Severity Bugs

Last December, researchers from Trend Micro’s Zero-Day Initiative (ZDI) revealed four high-severity remote code execution bugs in Microsoft 365. These bugs specifically affected the parsing of SketchUp files within the software suite. Microsoft promptly assigned three CVE (Common Vulnerabilities and Exposures) identifiers – CVE-2023-28285, CVE-2023-29344, and CVE-2023-33146 – and released patches to address these vulnerabilities in the May and June security updates.

Despite the patches, ThreatLabz researchers managed to develop a bypass for the fixes, prompting Microsoft to disable support for SketchUp in June of 2023. Initially described as a temporary measure, support for SketchUp remains disabled in Microsoft 365. This disabling emphasizes the severity of the vulnerabilities associated with SketchUp integration within the software suite.

Impact on Microsoft 365 Users

SketchUp is one of the most widely used formats available to Microsoft 365 users for inserting 3D files into applications such as Word, Excel, Outlook, and PowerPoint. Its popularity makes the vulnerabilities all the more concerning as it increases the potential attack surface for hackers aiming to exploit the weaknesses. Users must exercise caution when dealing with SketchUp files and consider alternative 3D file formats to mitigate the risks.

Discovery of Numerous Vulnerabilities

The Zscaler ThreatLabz researchers uncovered a staggering 117 vulnerabilities related to SketchUp when analyzing the dynamic link library responsible for parsing 3D file formats in Microsoft 365 apps. This discovery demonstrates the extent to which the integration of SketchUp has introduced potential avenues for attackers to exploit the software suite’s security.

Severity Assessment by Microsoft

After assessing the vulnerabilities, Microsoft classified them as being of important severity, which is marginally lower in terms of remediation priority than critical severity bugs. This classification emphasizes the significance of addressing these vulnerabilities promptly to ensure the overall security of Microsoft 365 and its users.

Exploit Scenarios and Precautions

Microsoft has described the vulnerabilities as issues that attackers can only exploit by tricking potential victims into running malicious files. This underscores the need for users to exercise caution when handling SketchUp files and to be vigilant against potential phishing attempts or other social engineering tactics that may lead to the execution of such files.

Background on SketchUp

SketchUp was first developed by @Last Software in 2000 and later transitioned to Google in 2006. It is now owned by Trimble Navigation. Over the years, SketchUp has become one of the most widely recognized and utilized 3D modeling tools available. Its versatility and ease of use have made it popular among professionals and amateur designers alike, contributing to its prominence in the 3D file format landscape.

The integration of SketchUp within Microsoft 365’s suite of cloud-based productivity and collaboration tools has unintentionally exposed users to numerous vulnerabilities. Despite patches released by Microsoft, the bypass discovered by ThreatLabz researchers forced the company to temporarily disable support for SketchUp. The discovery of 117 vulnerabilities highlights the potential risks associated with this integration. Microsoft’s classification of the vulnerabilities as being of high severity reinforces the need for users to remain vigilant and adopt additional security measures when handling SketchUp files. As Microsoft works to address these vulnerabilities, users must prioritize security to ensure the safety of their data and systems within the Microsoft 365 environment.

Explore more

Visa Launches SDK to Expand Digital Payments Across Africa

A local street vendor in Accra or a tech-savvy freelancer in Dar es Salaam often finds that having a mobile wallet is not enough to participate in the lucrative global digital economy. While local transfers have flourished, the inability to access international marketplaces creates a glass ceiling for millions of ambitious African entrepreneurs and consumers. The launch of the Visa

Uzbekistan Rapidly Transforms Its Digital Financial Sector

A traveler walking through the bustling Chorsu Bazaar in Tashkent today would likely witness a scene that would have been unrecognizable only a few years ago: vendors who once strictly dealt in stacks of som notes now effortlessly accept instant QR code payments on their mobile devices. This micro-level shift at a local market stall reflects a macro-level upheaval within

How Remote Work and AI Are Eroding Entry-Level Hiring

The traditional expectation that a university degree serves as a guaranteed entry point into a stable professional trajectory has collided with a harsh new economic reality where early-career opportunities are rapidly evaporating. While the labor market has historically rewarded the vigor and potential of young graduates, a silent decoupling occurred that left the newest members of the workforce navigating a

Salesforce, NiCE, and Oracle Lead ISG 2026 CXM Rankings

The modern consumer’s loyalty now hinges on a singular, invisible thread that snaps the moment a customer is forced to repeat their grievance to a third representative who has no record of the previous conversation. In a marketplace defined by hyper-competition, these fragmented experiences are no longer merely inconvenient; they are financially catastrophic for the enterprise. As organizations struggle with

Has Hyper-Measurement Killed Creativity in B2B Marketing?

The digital dashboard promised a world of absolute certainty where every marketing dollar could be tracked with surgical precision, yet many B2B brands now find themselves invisible in a sea of data-driven sameness. While marketing departments once thrived on intuition and bold storytelling, the modern era has substituted that creative spark for a reliance on real-time analytics that often prioritizes