More Than 100 Vulns in Microsoft 365 Tied to SketchUp 3D Library

While Microsoft patched the issues in June, support for SketchUp appears to remain disabled in Microsoft 365.

Microsofts move to include support in Microsoft 365 for the SketchUp 3D Library in June 2022 appears to have introduced numerous vulnerabilities in the companys suite of cloud-based productivity and collaboration tools.
The latest evidence of that is a
report this week
from ZScalers ThreatLabz on the security vendors discovery of as many as 117 unique vulnerabilities in Microsoft 365 via SketchUp within just a three-month period of poking at the technology.
Last December, researchers from Trend Micros Zero-Day Initiative (ZDI) disclosed four high-severity remote code execution bugs in Microsoft 365 related to SketchUp file parsing. It was ZDIs research that prompted Zscalers ThreatLabz investigation and subsequent discovery of the new set of bugs earlier this year.
Microsoft assigned three CVE identifiers collectively for the bugs —
CVE-2023-28285
,
CVE-2023-29344
, and
CVE-2023-33146
— and released patches for them in its May and June security updates. However, ThreatLabz researchers were able to develop a bypass for the fixes, prompting Microsoft to disable support for SketchUp in June 2023. Though the company at the time had described the disablement as a temporary measure, support for SketchUp appears to remain disabled in
Microsoft 365
.
The ability to insert SketchUp graphics (.skp files) has been temporarily disabled in Word, Excel, PowerPoint and Outlook for Windows and Mac, Microsoft noted in a June 1, 2023
update on SketchUp
. Versions of Office that had this feature enabled will no longer have access [to] it. 3D models in Office documents that were previously inserted from a SketchUp file will continue to work as expected unless the Link to File option was chosen at insert time. Microsoft 365 includes the vendors Office apps.
Microsoft did not immediately respond to a request seeking clarification on the current status of SketchUp support in Microsoft 365.
CVE-2023-28285, CVE-2023-29344, and CVE-2023-3314 are all remote code execution bugs tied to SketchUp (.skp) file parsing, just like the bugs that ZDI discovered last December. Microsoft has assessed the vulnerabilities as being of important severity, which typically is one notch lower, from a
remediation priority standpoint
, than critical severity bugs. The company described all three sets of vulnerabilities as issues that an attacker could
exploit only by tricking
potential victims into running malicious files.
SketchUp is one of the more widely used of seven formats that Microsoft 365 users can choose from to insert 3D files into Windows and Mac versions of Word, Excel, Outlook, and PowerPoint. The other formats include Binary GL Transmission Format (*.glb); Filmbox Format (*.fbx); Object Format (*.obj); and Polygon Format (*.ply). SketchUp was first developed by @Last Software in 2000, transitioned to Google in 2006, and now is owned by Trimble Navigation.
Zscaler ThreatLabz researchers discovered the 117 SketchUp-related vulnerabilities when analyzing a dynamic link library that is responsible for parsing 3D file formats in Microsoft 365 apps, according to Kai Lu, a senior researcher with the security vendor. In particular, we discovered Microsoft leveraged a series of SketchUp C APIs to implement the functionality to parse an SKP file, Lu said, in his blog on discovering the vulnerabilities this week. Reverse-engineering the functionality led to the discovery of several exploitable issues in the software, the security researcher said.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
More Than 100 Vulns in Microsoft 365 Tied to SketchUp 3D Library