Microsoft 365’s Inclusion of SketchUp 3D Library Reveals Numerous Vulnerabilities

Microsoft’s inclusion of support for the SketchUp 3D Library in Microsoft 365 presents a noteworthy security concern for users. The integration of SketchUp into the cloud-based productivity and collaboration tools has been identified as a vulnerability. This article aims to delve into the disclosure of high-severity bugs, the bypassing of fixes, the impact on Microsoft 365 users, the discovery of multiple vulnerabilities, Microsoft’s assessment of severity, exploit scenarios, and provide background information on SketchUp.

Disclosure of High-Severity Bugs

Last December, researchers from Trend Micro’s Zero-Day Initiative (ZDI) revealed four high-severity remote code execution bugs in Microsoft 365. These bugs specifically affected the parsing of SketchUp files within the software suite. Microsoft promptly assigned three CVE (Common Vulnerabilities and Exposures) identifiers – CVE-2023-28285, CVE-2023-29344, and CVE-2023-33146 – and released patches to address these vulnerabilities in the May and June security updates.

Despite the patches, ThreatLabz researchers managed to develop a bypass for the fixes, prompting Microsoft to disable support for SketchUp in June of 2023. Initially described as a temporary measure, support for SketchUp remains disabled in Microsoft 365. This disabling emphasizes the severity of the vulnerabilities associated with SketchUp integration within the software suite.

Impact on Microsoft 365 Users

SketchUp is one of the most widely used formats available to Microsoft 365 users for inserting 3D files into applications such as Word, Excel, Outlook, and PowerPoint. Its popularity makes the vulnerabilities all the more concerning as it increases the potential attack surface for hackers aiming to exploit the weaknesses. Users must exercise caution when dealing with SketchUp files and consider alternative 3D file formats to mitigate the risks.

Discovery of Numerous Vulnerabilities

The Zscaler ThreatLabz researchers uncovered a staggering 117 vulnerabilities related to SketchUp when analyzing the dynamic link library responsible for parsing 3D file formats in Microsoft 365 apps. This discovery demonstrates the extent to which the integration of SketchUp has introduced potential avenues for attackers to exploit the software suite’s security.

Severity Assessment by Microsoft

After assessing the vulnerabilities, Microsoft classified them as being of important severity, which is marginally lower in terms of remediation priority than critical severity bugs. This classification emphasizes the significance of addressing these vulnerabilities promptly to ensure the overall security of Microsoft 365 and its users.

Exploit Scenarios and Precautions

Microsoft has described the vulnerabilities as issues that attackers can only exploit by tricking potential victims into running malicious files. This underscores the need for users to exercise caution when handling SketchUp files and to be vigilant against potential phishing attempts or other social engineering tactics that may lead to the execution of such files.

Background on SketchUp

SketchUp was first developed by @Last Software in 2000 and later transitioned to Google in 2006. It is now owned by Trimble Navigation. Over the years, SketchUp has become one of the most widely recognized and utilized 3D modeling tools available. Its versatility and ease of use have made it popular among professionals and amateur designers alike, contributing to its prominence in the 3D file format landscape.

The integration of SketchUp within Microsoft 365’s suite of cloud-based productivity and collaboration tools has unintentionally exposed users to numerous vulnerabilities. Despite patches released by Microsoft, the bypass discovered by ThreatLabz researchers forced the company to temporarily disable support for SketchUp. The discovery of 117 vulnerabilities highlights the potential risks associated with this integration. Microsoft’s classification of the vulnerabilities as being of high severity reinforces the need for users to remain vigilant and adopt additional security measures when handling SketchUp files. As Microsoft works to address these vulnerabilities, users must prioritize security to ensure the safety of their data and systems within the Microsoft 365 environment.

Explore more

Ethereum’s Fragile Recovery Faces Resistance and Low Demand

The Ethereum ecosystem is currently navigating a treacherous landscape where price action struggles to align with the technical milestones achieved during the most recent network upgrades. While the shift to a more scalable architecture was intended to invite a surge of institutional and retail capital, the reality in 2026 shows a market plagued by indecision and a noticeable lack of

macOS 28 Drops Support for Encrypted Mac OS Extended Volumes

The landscape of digital storage has shifted dramatically over the past decade, leaving legacy file systems struggling to keep pace with the rigorous security demands of modern computing environments. With the release of macOS 28, the long-standing compatibility for encrypted Mac OS Extended (HFS+) volumes has officially reached its end of life, signaling a definitive transition toward the more robust

CapCut Named 2026 Leader in AI Social Media Content Creation

The rapid evolution of generative artificial intelligence has fundamentally altered the digital landscape, shifting the burden of high-quality video production from specialized studios to the palm of every creator’s hand across the globe. By mid-2026, the demand for short-form content reached an all-time high, necessitating tools that could keep pace with the volatile trends of social media algorithms. CapCut emerged

How Will AI and RPA Shape Desktop Automation in 2026?

The integration of cognitive computing with traditional robotic process automation has fundamentally altered the way desktop environments operate across global industries today. No longer confined to the rigid, rule-based scripts of previous cycles, modern automation tools now serve as dynamic, goal-oriented assistants capable of navigating the intricacies of fragmented software landscapes. This shift has allowed organizations to bridge the significant

UiPath Navigates AI Pivot Amid Market Skepticism

The transition from legacy robotic process automation to a sophisticated, agent-centric architecture has forced enterprise software giants to fundamentally rethink their value propositions in an era defined by autonomous reasoning. This paradigm shift represents more than a mere software update; it is a complete structural overhaul that seeks to bridge the gap between simple task execution and complex cognitive decision-making.