Security vendor Zscaler has recently reported the discovery of 117 vulnerabilities in Microsoft 365 Apps due to their support of SketchUp 3D files. SketchUp (SKP) files are a file format used for 3D modeling software, and they were integrated into Microsoft 365’s Office 3D component last year. Zscaler’s ThreatLabz research team found these vulnerabilities during their analysis of the Office 3D component.
In order to identify the flaws, Zscaler’s researchers reverse engineered the Office 3D component and used SketchUp C APIs to parse SKP files. By utilizing these APIs, along with publicly available documentation and thousands of SKP file samples, the researchers were able to create fuzzing harnesses. These harnesses were then integrated into the Windows fuzzing tool WinAFL, leading to the discovery of the vulnerabilities.
Initially, Zscaler found an issue with Office 3D that resulted in a timeout. This discovery led to the identification of 20 vulnerabilities within a month, including heap buffer overflow, out-of-bounds write, and stack buffer overflow flaws. Further investigation revealed that SKP files were compatible with the Microsoft Foundation Class and Ventuz File Format data types, as well as APIs belonging to the open-source library FreeImage. Researchers were then able to uncover an additional 97 vulnerabilities over the course of two months.
To address these vulnerabilities, Microsoft grouped them into three CVEs: CVE-2023-28285, CVE-2023-29344, and CVE-2023-33146. Microsoft classified all three as remote code execution vulnerabilities and assigned them high severity CVSS scores of 7.8. The company has released a patch for all users of Microsoft 365 Apps and temporarily disabled support for the SketchUp file format in Office.
Kai Lu, senior principal security researcher at Zscaler, stated that they have not observed any evidence of exploitation for these vulnerabilities. However, Lu acknowledged that it is not impossible for skilled threat actors to discover and weaponize the same vulnerabilities. He emphasized that the temporary disabling of SketchUp support will prevent exploitation for patched versions and minimize potential risks.
When asked about the potential attack surface and Microsoft’s decision to assign only three CVEs, Lu explained that Microsoft assigns CVEs based on patches rather than individual vulnerabilities. He also noted that the SketchUp attack surface is extensive, which likely influenced Microsoft’s decision to disable SketchUp until the underlying vulnerabilities are addressed.
As of now, neither Microsoft nor SketchUp publisher Trimble has responded to requests for comment from TechTarget Editorial.
In conclusion, Zscaler’s discovery of these vulnerabilities highlights the importance of proactive security measures. The integration of SketchUp files into Microsoft 365 Apps introduced multiple vulnerabilities, which were promptly addressed by Microsoft through the release of a patch and the temporary disabling of SketchUp support. While there have been no reported incidents of exploitation, the potential for skilled threat actors to weaponize these vulnerabilities emphasizes the need for swift action. Users of Microsoft 365 Apps are advised to apply the available patch and stay updated with any further security advisories from Microsoft.