In June 2022 [1] [2], Microsoft 365 introduced support for the SketchUp 3D Library [1]. However, this integration led to the discovery of multiple vulnerabilities in their cloud-based productivity and collaboration tools [1].
Description
ThreatLabz conducted research and identified 117 unique vulnerabilities in Microsoft 365 apps within a three-month period, all stemming from the SketchUp 3D Library. Microsoft assigned CVE numbers to these vulnerabilities. The investigation was prompted by the disclosure of four high-severity remote code execution bugs related to SketchUp file parsing [1], which were reported by Trend Micro’s Zero-Day Initiative. Microsoft promptly released patches for these bugs [1], but researchers at ThreatLabz were able to develop a bypass, resulting in Microsoft disabling support for SketchUp in June 2023 [1]. Consequently, Microsoft 365’s Office apps temporarily disabled the ability to insert SketchUp graphics [1]. It remains uncertain if SketchUp support has been re-enabled [1].
Conclusion
The vulnerabilities discovered in Microsoft 365’s cloud-based productivity and collaboration tools have had significant implications. While Microsoft took steps to address the high-severity bugs, the subsequent bypass developed by ThreatLabz led to the temporary disabling of SketchUp support. The impact of this decision was felt by users who were unable to insert SketchUp graphics in Microsoft 365’s Office apps. Moving forward, it remains to be seen if SketchUp support will be reinstated and what measures will be taken to prevent similar vulnerabilities in the future.
References
[1] https://www.darkreading.com/vulnerabilities-threats/more-than-100-vulnerabilities-in-microsoft-office-tied-to-sketchup-3d-library
[2] https://www.zscaler.com/blogs/security-research/threatlabz-discovers-117-vulnerabilities-microsoft-365-apps-sketchup-3d
