Microsoft 365’s Inclusion of SketchUp 3D Library Reveals Numerous Vulnerabilities

Microsoft’s inclusion of support for the SketchUp 3D Library in Microsoft 365 presents a noteworthy security concern for users. The integration of SketchUp into the cloud-based productivity and collaboration tools has been identified as a vulnerability. This article aims to delve into the disclosure of high-severity bugs, the bypassing of fixes, the impact on Microsoft 365 users, the discovery of multiple vulnerabilities, Microsoft’s assessment of severity, exploit scenarios, and provide background information on SketchUp.

Disclosure of High-Severity Bugs

Last December, researchers from Trend Micro’s Zero-Day Initiative (ZDI) revealed four high-severity remote code execution bugs in Microsoft 365. These bugs specifically affected the parsing of SketchUp files within the software suite. Microsoft promptly assigned three CVE (Common Vulnerabilities and Exposures) identifiers – CVE-2023-28285, CVE-2023-29344, and CVE-2023-33146 – and released patches to address these vulnerabilities in the May and June security updates.

Despite the patches, ThreatLabz researchers managed to develop a bypass for the fixes, prompting Microsoft to disable support for SketchUp in June of 2023. Initially described as a temporary measure, support for SketchUp remains disabled in Microsoft 365. This disabling emphasizes the severity of the vulnerabilities associated with SketchUp integration within the software suite.

Impact on Microsoft 365 Users

SketchUp is one of the most widely used formats available to Microsoft 365 users for inserting 3D files into applications such as Word, Excel, Outlook, and PowerPoint. Its popularity makes the vulnerabilities all the more concerning as it increases the potential attack surface for hackers aiming to exploit the weaknesses. Users must exercise caution when dealing with SketchUp files and consider alternative 3D file formats to mitigate the risks.

Discovery of Numerous Vulnerabilities

The Zscaler ThreatLabz researchers uncovered a staggering 117 vulnerabilities related to SketchUp when analyzing the dynamic link library responsible for parsing 3D file formats in Microsoft 365 apps. This discovery demonstrates the extent to which the integration of SketchUp has introduced potential avenues for attackers to exploit the software suite’s security.

Severity Assessment by Microsoft

After assessing the vulnerabilities, Microsoft classified them as being of important severity, which is marginally lower in terms of remediation priority than critical severity bugs. This classification emphasizes the significance of addressing these vulnerabilities promptly to ensure the overall security of Microsoft 365 and its users.

Exploit Scenarios and Precautions

Microsoft has described the vulnerabilities as issues that attackers can only exploit by tricking potential victims into running malicious files. This underscores the need for users to exercise caution when handling SketchUp files and to be vigilant against potential phishing attempts or other social engineering tactics that may lead to the execution of such files.

Background on SketchUp

SketchUp was first developed by @Last Software in 2000 and later transitioned to Google in 2006. It is now owned by Trimble Navigation. Over the years, SketchUp has become one of the most widely recognized and utilized 3D modeling tools available. Its versatility and ease of use have made it popular among professionals and amateur designers alike, contributing to its prominence in the 3D file format landscape.

The integration of SketchUp within Microsoft 365’s suite of cloud-based productivity and collaboration tools has unintentionally exposed users to numerous vulnerabilities. Despite patches released by Microsoft, the bypass discovered by ThreatLabz researchers forced the company to temporarily disable support for SketchUp. The discovery of 117 vulnerabilities highlights the potential risks associated with this integration. Microsoft’s classification of the vulnerabilities as being of high severity reinforces the need for users to remain vigilant and adopt additional security measures when handling SketchUp files. As Microsoft works to address these vulnerabilities, users must prioritize security to ensure the safety of their data and systems within the Microsoft 365 environment.

Explore more

Why Are Small Businesses Losing Confidence in Marketing?

In the ever-evolving landscape of commerce, small and mid-sized businesses (SMBs) globally are grappling with a perplexing challenge: despite pouring more time, energy, and resources into marketing, their confidence in achieving impactful results is waning, and recent findings reveal a stark reality where only a fraction of these businesses feel assured about their strategies. Many struggle to measure success or

How Are AI Agents Revolutionizing Chatbot Marketing?

In an era where digital interaction shapes customer expectations, Artificial Intelligence (AI) is fundamentally altering the landscape of chatbot marketing with unprecedented advancements. Once limited to answering basic queries through rigid scripts, chatbots have evolved into sophisticated AI agents capable of managing intricate workflows and delivering seamless engagement. Innovations like Silverback AI Chatbot’s updated framework exemplify this transformation, pushing the

How Does Klaviyo Lead AI-Driven B2C Marketing in 2025?

In today’s rapidly shifting landscape of business-to-consumer (B2C) marketing, artificial intelligence (AI) has emerged as a pivotal force, reshaping how brands forge connections with their audiences. At the forefront of this transformation stands Klaviyo, a marketing platform that has solidified its reputation as an industry pioneer. By harnessing sophisticated AI technologies, Klaviyo enables companies to craft highly personalized customer experiences,

How Does Azure’s Trusted Launch Upgrade Enhance Security?

In an era where cyber threats are becoming increasingly sophisticated, businesses running workloads in the cloud face constant challenges in safeguarding their virtual environments from advanced attacks like bootkits and firmware exploits. A significant step forward in addressing these concerns has emerged with a recent update from Microsoft, introducing in-place upgrades for a key security feature on Azure Virtual Machines

How Does Digi Power X Lead with ARMS 200 AI Data Centers?

In an era where artificial intelligence is reshaping industries at an unprecedented pace, the demand for robust, reliable, and scalable data center infrastructure has never been higher, and Digi Power X is stepping up to meet this challenge head-on with innovative solutions. This NASDAQ-listed energy infrastructure company, under the ticker DGXX, recently made headlines with a groundbreaking achievement through its