Zscaler’s ThreatLabz research team has discovered 117 unique vulnerabilities in Microsoft 365 applications after support for SketchUp (SKP) files was added by the tech giant.
The SKP file format was introduced in June 2022 in Microsoft 365 as part of Office’s 3D component, to enable users to work with more types of 3D file formats when creating presentations and visualizing data.
The proprietary file format has been around since 2000, to store the necessary information for creating 3D models, and SketchUp has become one of the top architecture software programs in the world.
In Office, SKP files can be inserted by selecting ‘3D models’ in the ‘Insert’ menu and then selecting the desired file. Once inserted in Microsoft 365 apps, the files are parsed using specific APIs from the SketchUp SDK.
While analyzing the way Microsoft 365 parses the SKP files, Zscaler discovered that multiple SketchUp APIs and wrapper functions are invoked.
Through fuzzing, the team identified a total of 20 security defects, including heap buffer overflow, integer overflow, out-of-bounds write, stack buffer overflow, type confusion, and use-after-free issues.
Further investigation revealed that, if an image is embedded in the SKP file, the FreeImage third-party library is used to parse it.
FreeImage has not been updated since 2018, and, through fuzzing, Zscaler identified 97 unique vulnerabilities in it, which it then successfully reproduced in Microsoft 365.
An attacker would have needed to trick the targeted user into opening a specially crafted SketchUp file to exploit the vulnerabilities.
Microsoft issued three CVEs to track these vulnerabilities, namely CVE-2023-28285, CVE-2023-29344, and CVE-2023-33146, marking them as remote code execution (RCE) bugs, and released patches for them in April, May, and June.
However, Zscaler says they were able to successfully bypass the patches, which resulted in Microsoft temporarily disabling support for the SketchUp file format.