Over 100 vulnerabilities found in Microsoft 365 as SketchUp is added

What you need to know

• Cybersecurity firm Zscaler discovered 117 vulnerabilities affecting the Microsoft 365 suite, pinpointing SketchUp as the root cause of these issues.
• Microsoft issued patches for these issues, but the researchers claim they could still bypass the fixes.
• SketchUp is temporarily disabled in the Microsoft 365 suite as Microsoft works on a permanent resolution.

An emerging report by a cybersecurity firm dubbed Zscaler has uncovered over a hundred vulnerabilities in Microsoft 365. The report further details that the recent inception of SketchUp into the platform is the root cause of these problems.

For those not conversant with SketchUp (SKP) files, they are a 3D model file format developed in the early 2000s, though Microsoft integrated it into its cloud-based productivity tools last year.

The researchers disclosed that they had been looking into the platform for a period of three months. It was during this time that they were able to identify 117 unique vulnerabilities and security flaws impacting Microsoft 365 apps.

Microsoft’s patches didn’t work

Strangely enough, Microsoft issued patches for these flaws once it got wind of the situation, but still, the Zscaler ThreatLabz team claims that they could bypass the fixes. Consequently, this forced Microsoft to disable support for SketchUp in June 2023 as a temporary measure to prevent the issue from spiraling out of control. However, support for SketchUp remains disabled in the Microsoft 365 suite, which could indicate that the company is still working on a fix for the issue.

The Zscaler ThreatLabz team disclosed that it discovered while reverse-engineering the Office 3D components. Digging deeper into the components allowed them to discover that Microsoft was using multiple SketchUp C APIs to allow programs to arse an SKP file. The research instantly discovered 20 flaws, followed closely by another 97 ranging from out-of-bounds write to stack buffer overflow, and finally, heap buffer overflow vulnerabilities.

How widespread is the issue?

While speaking to TechTarget, Zscaler’s senior principal security researcher, Kai Lu, disclosed vulnerabilities were yet to be explored in the wild. Still, there’s a possibility that this might not be the case if Microsoft doesn’t arrive at a permanent resolution soon.

There is a possibility that a skilled threat actor can discover and weaponize the same (or similar) vulnerabilities. The decision to temporarily disable support for SketchUp will prevent exploitation for versions that have been patched and limit the potential impact.

The SketchUp status in the Microsoft 365 suite remains deactivated, though Microsoft is working on a fix for the issue and asks users to keep an eye on SketchUp’s status on its dedicated page.