Cybersecurity researchers at Zscaler have discovered more than a hundred vulnerabilities in Microsoft 365 introduced with the addition of SketchUp to the cloud productivity suite.
To make matters worse, they claim that they have managed to bypass the patches that Microsoft released to fix these bugs.
Zscaler’s ThreatLabz team published a report claims to have found 117 vulnerabilities in Microsoft 365 apps, all due to the productivity suite that supports SketchUp 3D files – SKP.
Essentially, the program allows users to add 3D models to Microsoft documents and was first introduced in August 2000. Last year, it was integrated into the Office 3D component of Microsoft 365.
By reverse engineering the Office 3D components, the researchers discovered that Microsoft used multiple SketchUp C APIs to let the programs parse an SKP file. That led them first to the discovery of 20 flaws, and then to another 97 flaws. Most are vulnerabilities in the form of heap buffer overflow, out-of-bounds write or stack buffer overflow.
Microsoft placed them all under the umbrella of remote code execution (RCE) and grouped them into three CVEs: CVEs: CVE-2023-28285, CVE-2023-29344, and CVE-2023-33146. All three are labeled as “very serious” with a severity score of 7.8.
Speak with TechTargetZscaler’s senior chief security researcher Kai Lu said the company has found no evidence that the flaws are being exploited in the wild. He added that this could change at any time.
“There is a possibility that an experienced threat actor could discover and weaponize the same (or similar) vulnerabilities,” Lu told the publication. “The decision to temporarily disable support for SketchUp will prevent exploitation of patched versions and limit the potential impact.”
Microsoft has disabled support for SketchUp, SC Media added, because researchers managed to bypass the published patches.
“Microsoft has created a patch to address the vulnerabilities that ThreatLabz was able to bypass,” the ZScaler blog said, without going into further detail. The company did say that the report was only the first in a series, so we can expect more details in the coming days.
Microsoft, on the other hand, told TechTarget that its customers have been “protected since June when this feature was temporarily disabled” and added that customers should check SketchUp’s status on the dedicated page.