November 1, 2023 at 07:05PM
A recent report from ZScaler’s ThreatLabz revealed that Microsoft 365 has numerous vulnerabilities due to its support for the SketchUp 3D Library. Over a three-month period, ZScaler identified 117 unique vulnerabilities, prompting Microsoft to release patches. However, the fixes were bypassed, resulting in Microsoft temporarily disabling SketchUp support in June 2023. The vulnerabilities are remote code execution bugs that can be exploited by tricking users into running malicious files. SketchUp is widely used for inserting 3D files in Microsoft 365 applications.
Takeaways from the meeting notes are as follows:
1. Microsoft included support for the SketchUp 3D Library in Microsoft 365 in June 2022.
2. ZScaler’s ThreatLabz reported finding 117 vulnerabilities in Microsoft 365 via SketchUp within a three-month period.
3. In December, Trend Micro’s Zero-Day Initiative disclosed four high-severity remote code execution bugs in Microsoft 365 related to SketchUp file parsing.
4. Microsoft released patches for the bugs under three CVE identifiers – CVE-2023-28285, CVE-2023-29344, and CVE-2023-33146.
5. However, Zscaler’s ThreatLabz was able to develop a bypass for the fixes, leading to Microsoft disabling support for SketchUp in June 2023.
6. Microsoft temporarily disabled the ability to insert SketchUp graphics (.skp files) in Word, Excel, PowerPoint, and Outlook for Windows and Mac.
7. Microsoft described the vulnerabilities tied to SketchUp as “important” and stated that they can only be exploited by tricking users into running malicious files.
8. SketchUp is one of seven formats that Microsoft 365 users can choose from to insert 3D files into Office apps.
9. Zscaler ThreatLabz researchers discovered the vulnerabilities by analyzing a dynamic link library responsible for parsing 3D file formats in Microsoft 365 apps.
Please note that this summary is based solely on the information provided in the meeting notes.