Zscaler finds 117 Microsoft 365 bugs via SketchUp 3D file type

Security vendor Zscaler on Tuesday said it had found 117 vulnerabilities in Microsoft 365 Apps resulting from Microsoft's support of SketchUp 3D files.

SketchUp (SKP) files are a 3D model file format first developed in 2000. It is a proprietary file format for popular 3D modeling software SketchUp Software and was integrated into Microsoft 365's Office 3D component last year. ZScaler's ThreatLabz research team discovered 117 vulnerabilities in Microsoft 365 apps that the former said were introduced by the integration of SKP files.

Zscaler found the flaws by reverse engineering the Office 3D component for Microsoft 365 Apps, a function that lets users insert 3D models into Microsoft documents. In doing so, it discovered that "Microsoft leveraged a series of SketchUp C APIs to implement the functionality to parse an SKP file," according to a blog post. The researchers used this API as well as publicly available documentation and thousands of SKP file samples to create fuzzing harnesses. They then integrated the harnesses into Windows fuzzing tool WinAFL.

An initial timeout issue Zscaler found in Office 3D led to the discovery of 20 vulnerabilities in one month, including heap buffer overflow, out-of-bounds write, stack buffer overflow flaws and more. Researchers then found that SKP files were compatible with the Microsoft Foundation Class and Ventuz File Format data types as well as APIs belonging to the open-source library FreeImage, which was last updated in 2018. Following these breakthroughs, researchers found 97 more vulnerabilities in two months.

Microsoft grouped the flaws into three CVEs: CVE-2023-28285, CVE-2023-29344 and CVE-2023-33146. Microsoft referred to all three as remote code execution vulnerabilities, and all three were assigned "high severity" CVSS scores of 7.8. The tech giant also created a patch, available now for all users of Microsoft 365 Apps, and temporarily disabled support for the SketchUp file format in Office.

Kai Lu, senior principal security researcher at Zscaler, told TechTarget Editorial that ThreatLabz "has not observed any evidence of exploitation for these vulnerabilities" but noted exploitation was not impossible.

"There is a possibility that a skilled threat actor can discover and weaponize the same (or similar) vulnerabilities," Lu wrote in an email. "The decision to temporarily disable support for SketchUp will prevent exploitation for versions that have been patched and limit the potential impact."

Asked about the potential attack surface for the flaws and Microsoft's assignment of only three CVE's, Lu said Microsoft assigns CVEs "based on their patches rather than for an individual vulnerability." He added that "the SketchUp attack surface is very large and likely a significant factor in Microsoft's decision to disable SketchUp until the underlying vulnerabilities are addressed."

A Microsoft spokesperson told TechTarget Editorial that "our customers have been protected since June when this feature was temporarily disabled" and advised customers to view the current status of SketchUp file support on a dedicated page.

SketchUp publisher Trimble did not respond to TechTarget Editorial's request for comment.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.