Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the easy-accordion-free domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the zoho-flow domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wordpress-seo domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893
{"id":1869,"date":"2023-12-06T08:54:20","date_gmt":"2023-12-06T08:54:20","guid":{"rendered":"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/"},"modified":"2023-12-06T08:54:20","modified_gmt":"2023-12-06T08:54:20","slug":"threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu","status":"publish","type":"post","link":"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/","title":{"rendered":"ThreatLabz Discovers 117 Vulnerabilities in Microsoft 365 Apps Via the SketchUp 3D Library – Part 2 Kai Lu"},"content":{"rendered":"

Introduction<\/p>\n

In Part 1 of this series, we\u2019ve demonstrated how ThreatLabz reverse engineered the SketchUp 3D library in Microsoft 365 as well as the SKP file format. Furthermore, we developed two effective fuzzing harnesses.<\/p>\n

Microsoft published CVE-2023-28285 and CVE-2023-29344 (in April and May of 2023, respectively) to address the vulnerabilities identified by the Zscaler ThreatLabz research team. The ThreatLabz research team analyzed the patch for CVE-2023-29344 and discovered a bypass, which in turn, led to Microsoft addressing the vulnerabilities through CVE-2023-33146. In this blog, we examine how it was possible to bypass CVE-2023-29344. In addition, we analyze real-world case studies to gain further insight into how these vulnerabilities impact security.
\nHow to Bypass CVE-2023-29344<\/p>\n

Watch the video<\/p>\n

In the following video, we show how CVE-2023-29344 can be bypassed, which led to the release of CVE-2023-33146.<\/p>\n

Read the write-up<\/p>\n

In May of 2023, the patch for CVE-2023-29344 was released and was intended to fix all vulnerabilities located in FreeImage. The patched version of MSOSPECTRE.DLL is 16.0.16327.20240, as shown in the figure below.<\/p>\n

Figure 1: The patched version of MSOSPECTRE.DLL for CVE-2023-29344<\/p>\n

First, let\u2019s explore the details of the patch for CVE-2023-29344. <\/p>\n

The figure below shows the comparison of SketchUpModelReader::ReadModel before and after the patch.<\/p>\n

Figure 2: The comparison of SketchUpModelReader::ReadModel before and after the patch.<\/p>\n

This patch introduced some code changes to disable support for SKP files with the MFC type. This is because all vulnerabilities in FreeImage were reported to Microsoft through the SKP files with the MFC type. Accordingly, Microsoft fixed these vulnerabilities by disabling support for SKP files with the MFC type, rather than fixing the underlying issues within the FreeImage library. As a result, this patch is incomplete, because these vulnerabilities in the FreeImage library could still be triggered using SKP files with the VFF type.<\/p>\n

Next, let\u2019s take a look at the process of bypassing the patch for CVE-2023-29344.<\/p>\n

The figure below shows a Proof-of-Concept (PoC) crafting template for an SKP file with the VFF type, which includes a SketchUp header, a VFF header, and an embedded zip file. All data related to SketchUp 3D models are stored within a zip file.<\/p>\n

Figure 3: A PoC crafting template for SKP file with the VFF type<\/p>\n

We extract the part of the zip file within an SKP file and then analyze it using the zip template in 010 Editor. The result of the parsing operation reveals an image stored within the materials folder.<\/p>\n

Figure 4: Analyzing the zip file embedded in the SKP file using the ZIP template in 010 Editor<\/p>\n

Craft a new PoC.<\/p>\n

\tCompress the abnormal image file using the Deflate algorithm. <\/p>\n

\tzlib.compressobj(compresslevel, zlib.DEFLATED, -zlib.MAX_WBITS, zlib.DEF_MEM_LEVEL, 0).compress(data)<\/p>\n

\tCalculate the new CRC32 for the uncompressed image data. We can use 010 Editor\u2019s CRC32 tool or Windows built-in CRC utility.
\n\tUpdate the fields frCrc, frCompressSize, frUncompressSize, and frData (compressed image data)
\n\tUpdate the field deHeaderOffset for each dirEntry, and also update the fields deCrc, deCompressSize, and deUncompress in struct ZIPDIRENTRY dirEntry[4] materials\/_1\/E70785.tif. Update the field erDirectoryOffset in the struct ZIPENDLOCATOR endLocator
\n\tCombine the SketchUp header, VFF header, and the modified zip file into a complete SKP file.
\n\tFinally, we need to re-calculate the checksum in the VFF header. We uncovered a specific algorithm responsible for computing this checksum. Figure 6 shows a pseudo-code representation of this algorithm.<\/p>\n

Figure 5: The parsing result in 010 Editor<\/p>\n

Figure 6: The specific algorithm responsible for computing this checksum in a VFF header<\/p>\n

So far, we\u2019ve elaborated on the steps of crafting the new PoC to bypass the patch for CVE-2023-29344. With this approach, we reproduced 97 unique vulnerabilities in Microsoft 365 apps updating to the patch of CVE-2023-29344. Microsoft assigned CVE-2023-33146 for this discovery which bypassed the original patch.<\/p>\n

Finally, Microsoft disabled the ability to insert SketchUp files in Office documents in the patch for CVE-2023-33146.<\/p>\n

A screenshot of the Microsoft update
\nReal-World Cases<\/p>\n

Microsoft Office SKP file parsing `CVertex` object use-after-free vulnerability<\/p>\n

The figure below shows a use-after-free vulnerability that is associated with the parsing of an abnormal SKP file in Microsoft Office.<\/p>\n

Figure 7: Microsoft Office SKP File Parsing `CVertex` object Use-After-Free Vulnerability<\/p>\n

Microsoft Office SKP file parsing TIFF image integer overflow vulnerability<\/p>\n

The figure below shows an integer overflow vulnerability that is associated with the parsing of an SKP file containing an abnormal TIFF image in Microsoft Office. This vulnerability ultimately results in a crash within the memcpy function.<\/p>\n

Figure 8: Microsoft Office SKP File Parsing TIFF Image Integer Overflow Vulnerability<\/p>\n

Microsoft Office SKP file parsing uninitialized memory vulnerability<\/p>\n

The figure below shows an uninitialized memory vulnerability that is associated with the parsing of an abnormal SKP file in Microsoft Office. This vulnerability potentially results in remote code execution.<\/p>\n

Figure 9: Microsoft Office SKP File Parsing Uninitialized Memory Vulnerability<\/p>\n

Microsoft Office SKP File parsing BMP image out-of-bounds write vulnerability<\/p>\n

The figure below shows an out-of-bounds write vulnerability that is associated with the parsing of an SKP file containing an abnormal BMP image in Microsoft Office. <\/p>\n

Figure 10: Microsoft Office SKP File Parsing BMP Image Out-of-Bounds Write Vulnerability<\/p>\n

Microsoft Office SKP File parsing PICT image out-of-bounds write vulnerability<\/p>\n

The figure below shows an out-of-bounds write vulnerability (CVE-2023-29344) that is associated with the parsing of an SKP file containing an abnormal PICT image in Microsoft Office. The PoC file for this vulnerability is an SKP file with the MFC type. <\/p>\n

Figure 11: Microsoft Office SKP File Parsing PICT Image Out-of-Bounds Write Vulnerability (PoC with MFC type)<\/p>\n

In Figure 12, we observe the bypass of CVE-2023-29344 using an SKP file with the VFF type.<\/p>\n

Figure 12: Microsoft Office SKP File Parsing PICT Image Out-of-Bounds Write Vulnerability (PoC with VFF type)
\nConclusion<\/p>\n

In this two part series, we\u2019ve walked you through the process of reverse engineering the Office 3D component, and we\u2019ve also explored how to create two effective fuzzing harnesses, one for SketchUp and the other for FreeImage. The results have been highly effective. We discovered 117 unique vulnerabilities within the Office 3D component in Microsoft 365 apps in approximately three months. These security vulnerabilities demonstrate the importance of performing security code audits and blackbox fuzzing for third-party libraries before they are introduced into a new or existing product.
\nMitigation<\/p>\n

All users of Microsoft 365 apps are encouraged to upgrade to the latest version of the software. Zscaler\u2019s Advanced Threat Protection and Advanced Cloud Sandbox can protect customers against these vulnerabilities as follows:<\/p>\n

\tWin64.Exploit.CVE-2023-28285
\n\tWin64.Exploit.CVE-2023-29344
\n\tWin64.Exploit.CVE-2023-33146<\/p>\n

Appendix<\/p>\n

The following vulnerabilities were discovered and reported by ThreatLabz while fuzzing the SketchUp library in Microsoft 365 applications.<\/p>\n

References<\/p>\n

\thttps:\/\/www.adobe.com\/creativecloud\/file-types\/image\/vector\/skp-file.html
\n\thttps:\/\/insider.microsoft365.com\/en-us\/blog\/add-sketchup-files-to-office-creations
\n\thttps:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2023-33146
\n\thttps:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2023-28285
\n\thttps:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2023-29344
\n\thttps:\/\/msrc.microsoft.com\/blog\/2023\/04\/congratulations-to-the-top-msrc-2023-q1-security-researchers\/
\n\thttps:\/\/www.zerodayinitiative.com\/advisories\/published\/2022\/
\n\thttps:\/\/freeimage.sourceforge.io\/
\n\thttps:\/\/sketchup.cgtips.org\/
\n\thttps:\/\/www.g2.com\/reports\/grid-report-for-architecture-spring-2023.embed?featured=sketchup&amp;secure%5Bgated_consumer%5D=2a23be4d-2a72-444a-9ad7-cdc55120636c&amp;secure%5Btoken%5D=e98cea6efb6f05c7a9cf8335d15f112eadc67748340a634576f6bd49c2d718a0&amp;utm_campaign=gate-1886690\u00a0\u00a0<\/p>\n

\u200b<\/p>\n

\u00a0<\/h3>\n

Read the write-up<\/h3>\n

In May of 2023, the patch for CVE-2023-29344 was released and was intended to fix all vulnerabilities located in FreeImage. The patched version of MSOSPECTRE.DLL<\/strong> is 16.0.16327.20240, as shown in the figure below.<\/p>\n\n

Figure 1: The patched version of MSOSPECTRE.DLL for CVE-2023-29344<\/p>\n

First, let\u2019s explore the details of the patch for CVE-2023-29344.\u00a0<\/p>\n

The figure below shows the comparison of SketchUpModelReader::ReadModel<\/strong>before and after the patch.<\/p>\n\n

Figure 2: The comparison of SketchUpModelReader::ReadModel<\/em> before and after the patch.<\/p>\n

This patch introduced some code changes to disable support for SKP files with the MFC type. This is because all vulnerabilities in FreeImage were reported to Microsoft through the SKP files with the MFC type. Accordingly, Microsoft fixed these vulnerabilities by disabling support for SKP files with the MFC type, rather than fixing the underlying issues within the FreeImage library. As a result, this patch is incomplete, because these vulnerabilities in the FreeImage library could still be triggered using SKP files with the VFF type.<\/p>\n

Next, let\u2019s take a look at the process of bypassing the patch for CVE-2023-29344.<\/p>\n

The figure below shows a Proof-of-Concept (PoC) crafting template for an SKP file with the VFF type, which includes a SketchUp header, a VFF header, and an embedded zip file. All data related to SketchUp 3D models are stored within a zip file.<\/p>\n

\n<\/p>

Figure 3: A PoC crafting template for SKP file with the VFF type<\/p>\n

We extract the part of the zip file within an SKP file and then analyze it using the zip template in 010 Editor. The result of the parsing operation reveals an image stored within the materials<\/strong> folder.<\/p>\n

\n<\/p>

Figure 4: Analyzing the zip file embedded in the SKP file using the ZIP template in 010 Editor<\/p>\n

Craft a new PoC.<\/p>\n

Compress the abnormal image file using the Deflate<\/strong> algorithm.\u00a0<\/p>\n

zlib.compressobj(compresslevel, zlib.DEFLATED, -zlib.MAX_WBITS, zlib.DEF_MEM_LEVEL, 0).compress(data)<\/em><\/strong>
\n\t\u00a0<\/p>\n

\tCalculate the new CRC32 for the uncompressed image data. We can use 010 Editor\u2019s CRC32 tool or Windows built-in CRC utility.
\n\tUpdate the fields frCrc, frCompressSize, frUncompressSize, and frData (compressed image data)
\n\tUpdate the field deHeaderOffset<\/strong> for each dirEntry<\/strong>, and also update the fields deCrc<\/strong>, deCompressSize<\/strong>, and deUncompress<\/strong> in struct ZIPDIRENTRY dirEntry[4] materials\/_1\/E70785.tif<\/strong>. Update the field erDirectoryOffset<\/strong> in the struct ZIPENDLOCATOR<\/strong> endLocator<\/strong>
\n\tCombine the SketchUp header, VFF header, and the modified zip file into a complete SKP file.
\n\tFinally, we need to re-calculate the checksum in the VFF header. We uncovered a specific algorithm responsible for computing this checksum. Figure 6 shows a pseudo-code representation of this algorithm.<\/p>\n

\n<\/p>

Figure 5: The parsing result in 010 Editor<\/p>\n

\n<\/p>

Figure 6: The specific algorithm responsible for computing this checksum in a VFF header<\/p>\n

So far, we\u2019ve elaborated on the steps of crafting the new PoC to bypass the patch for CVE-2023-29344. With this approach, we reproduced 97 unique vulnerabilities in Microsoft 365 apps updating to the patch of CVE-2023-29344. Microsoft assigned CVE-2023-33146<\/a> for this discovery which bypassed the original patch.<\/p>\n

Finally, Microsoft disabled the ability to insert SketchUp files in Office documents in the patch for CVE-2023-33146.<\/p>\n\n

A screenshot of the Microsoft update<\/p>\n

\u00a0Introduction<\/p>\n

In Part 1 of this series, we\u2019ve demonstrated how ThreatLabz reverse engineered the SketchUp 3D library in Microsoft 365 as well as the SKP file format. Furthermore, we developed two effective fuzzing harnesses.<\/p>\n

Microsoft published CVE-2023-28285 and CVE-2023-29344 (in April and May of 2023, respectively) to address the vulnerabilities identified by the Zscaler ThreatLabz research team. The ThreatLabz research team analyzed the patch for CVE-2023-29344 and discovered a bypass, which in turn, led to Microsoft addressing the vulnerabilities through CVE-2023-33146. In this blog, we examine how it was possible to bypass CVE-2023-29344. In addition, we analyze real-world case studies to gain further insight into how these vulnerabilities impact security.
\nHow to Bypass CVE-2023-29344<\/p>\n

Watch the video<\/p>\n

In the following video, we show how CVE-2023-29344 can be bypassed, which led to the release of CVE-2023-33146.<\/p>\n

Read the write-up<\/p>\n

In May of 2023, the patch for CVE-2023-29344 was released and was intended to fix all vulnerabilities located in FreeImage. The patched version of MSOSPECTRE.DLL is 16.0.16327.20240, as shown in the figure below.<\/p>\n

Figure 1: The patched version of MSOSPECTRE.DLL for CVE-2023-29344<\/p>\n

First, let\u2019s explore the details of the patch for CVE-2023-29344. <\/p>\n

The figure below shows the comparison of SketchUpModelReader::ReadModel before and after the patch.<\/p>\n

Figure 2: The comparison of SketchUpModelReader::ReadModel before and after the patch.<\/p>\n

This patch introduced some code changes to disable support for SKP files with the MFC type. This is because all vulnerabilities in FreeImage were reported to Microsoft through the SKP files with the MFC type. Accordingly, Microsoft fixed these vulnerabilities by disabling support for SKP files with the MFC type, rather than fixing the underlying issues within the FreeImage library. As a result, this patch is incomplete, because these vulnerabilities in the FreeImage library could still be triggered using SKP files with the VFF type.<\/p>\n

Next, let\u2019s take a look at the process of bypassing the patch for CVE-2023-29344.<\/p>\n

The figure below shows a Proof-of-Concept (PoC) crafting template for an SKP file with the VFF type, which includes a SketchUp header, a VFF header, and an embedded zip file. All data related to SketchUp 3D models are stored within a zip file.<\/p>\n

Figure 3: A PoC crafting template for SKP file with the VFF type<\/p>\n

We extract the part of the zip file within an SKP file and then analyze it using the zip template in 010 Editor. The result of the parsing operation reveals an image stored within the materials folder.<\/p>\n

Figure 4: Analyzing the zip file embedded in the SKP file using the ZIP template in 010 Editor<\/p>\n

Craft a new PoC.<\/p>\n

\tCompress the abnormal image file using the Deflate algorithm. <\/p>\n

\tzlib.compressobj(compresslevel, zlib.DEFLATED, -zlib.MAX_WBITS, zlib.DEF_MEM_LEVEL, 0).compress(data)<\/p>\n

\tCalculate the new CRC32 for the uncompressed image data. We can use 010 Editor\u2019s CRC32 tool or Windows built-in CRC utility.
\n\tUpdate the fields frCrc, frCompressSize, frUncompressSize, and frData (compressed image data)
\n\tUpdate the field deHeaderOffset for each dirEntry, and also update the fields deCrc, deCompressSize, and deUncompress in struct ZIPDIRENTRY dirEntry[4] materials\/_1\/E70785.tif. Update the field erDirectoryOffset in the struct ZIPENDLOCATOR endLocator
\n\tCombine the SketchUp header, VFF header, and the modified zip file into a complete SKP file.
\n\tFinally, we need to re-calculate the checksum in the VFF header. We uncovered a specific algorithm responsible for computing this checksum. Figure 6 shows a pseudo-code representation of this algorithm.<\/p>\n

Figure 5: The parsing result in 010 Editor<\/p>\n

Figure 6: The specific algorithm responsible for computing this checksum in a VFF header<\/p>\n

So far, we\u2019ve elaborated on the steps of crafting the new PoC to bypass the patch for CVE-2023-29344. With this approach, we reproduced 97 unique vulnerabilities in Microsoft 365 apps updating to the patch of CVE-2023-29344. Microsoft assigned CVE-2023-33146 for this discovery which bypassed the original patch.<\/p>\n

Finally, Microsoft disabled the ability to insert SketchUp files in Office documents in the patch for CVE-2023-33146.<\/p>\n

A screenshot of the Microsoft update
\nReal-World Cases<\/p>\n

Microsoft Office SKP file parsing `CVertex` object use-after-free vulnerability<\/p>\n

The figure below shows a use-after-free vulnerability that is associated with the parsing of an abnormal SKP file in Microsoft Office.<\/p>\n

Figure 7: Microsoft Office SKP File Parsing `CVertex` object Use-After-Free Vulnerability<\/p>\n

Microsoft Office SKP file parsing TIFF image integer overflow vulnerability<\/p>\n

The figure below shows an integer overflow vulnerability that is associated with the parsing of an SKP file containing an abnormal TIFF image in Microsoft Office. This vulnerability ultimately results in a crash within the memcpy function.<\/p>\n

Figure 8: Microsoft Office SKP File Parsing TIFF Image Integer Overflow Vulnerability<\/p>\n

Microsoft Office SKP file parsing uninitialized memory vulnerability<\/p>\n

The figure below shows an uninitialized memory vulnerability that is associated with the parsing of an abnormal SKP file in Microsoft Office. This vulnerability potentially results in remote code execution.<\/p>\n

Figure 9: Microsoft Office SKP File Parsing Uninitialized Memory Vulnerability<\/p>\n

Microsoft Office SKP File parsing BMP image out-of-bounds write vulnerability<\/p>\n

The figure below shows an out-of-bounds write vulnerability that is associated with the parsing of an SKP file containing an abnormal BMP image in Microsoft Office. <\/p>\n

Figure 10: Microsoft Office SKP File Parsing BMP Image Out-of-Bounds Write Vulnerability<\/p>\n

Microsoft Office SKP File parsing PICT image out-of-bounds write vulnerability<\/p>\n

The figure below shows an out-of-bounds write vulnerability (CVE-2023-29344) that is associated with the parsing of an SKP file containing an abnormal PICT image in Microsoft Office. The PoC file for this vulnerability is an SKP file with the MFC type. <\/p>\n

Figure 11: Microsoft Office SKP File Parsing PICT Image Out-of-Bounds Write Vulnerability (PoC with MFC type)<\/p>\n

In Figure 12, we observe the bypass of CVE-2023-29344 using an SKP file with the VFF type.<\/p>\n

Figure 12: Microsoft Office SKP File Parsing PICT Image Out-of-Bounds Write Vulnerability (PoC with VFF type)
\nConclusion<\/p>\n

In this two part series, we\u2019ve walked you through the process of reverse engineering the Office 3D component, and we\u2019ve also explored how to create two effective fuzzing harnesses, one for SketchUp and the other for FreeImage. The results have been highly effective. We discovered 117 unique vulnerabilities within the Office 3D component in Microsoft 365 apps in approximately three months. These security vulnerabilities demonstrate the importance of performing security code audits and blackbox fuzzing for third-party libraries before they are introduced into a new or existing product.
\nMitigation<\/p>\n

All users of Microsoft 365 apps are encouraged to upgrade to the latest version of the software. Zscaler\u2019s Advanced Threat Protection and Advanced Cloud Sandbox can protect customers against these vulnerabilities as follows:<\/p>\n

\tWin64.Exploit.CVE-2023-28285
\n\tWin64.Exploit.CVE-2023-29344
\n\tWin64.Exploit.CVE-2023-33146<\/p>\n

Appendix<\/p>\n

The following vulnerabilities were discovered and reported by ThreatLabz while fuzzing the SketchUp library in Microsoft 365 applications.<\/p>\n

References<\/p>\n

\thttps:\/\/www.adobe.com\/creativecloud\/file-types\/image\/vector\/skp-file.html
\n\thttps:\/\/insider.microsoft365.com\/en-us\/blog\/add-sketchup-files-to-office-creations
\n\thttps:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2023-33146
\n\thttps:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2023-28285
\n\thttps:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2023-29344
\n\thttps:\/\/msrc.microsoft.com\/blog\/2023\/04\/congratulations-to-the-top-msrc-2023-q1-security-researchers\/
\n\thttps:\/\/www.zerodayinitiative.com\/advisories\/published\/2022\/
\n\thttps:\/\/freeimage.sourceforge.io\/
\n\thttps:\/\/sketchup.cgtips.org\/
\n\thttps:\/\/www.g2.com\/reports\/grid-report-for-architecture-spring-2023.embed?featured=sketchup&amp;secure%5Bgated_consumer%5D=2a23be4d-2a72-444a-9ad7-cdc55120636c&amp;secure%5Btoken%5D=e98cea6efb6f05c7a9cf8335d15f112eadc67748340a634576f6bd49c2d718a0&amp;utm_campaign=gate-1886690\u00a0<\/p>","protected":false},"excerpt":{"rendered":"

Introduction In Part 1 of this series, we\u2019ve demonstrated how […]<\/p>\n","protected":false},"author":0,"featured_media":1768,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-1869","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-zenith-zscaler"],"yoast_head":"\nThreatLabz Discovers 117 Vulnerabilities in Microsoft 365 Apps Via the SketchUp 3D Library - Part 2 Kai Lu - JHC<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ThreatLabz Discovers 117 Vulnerabilities in Microsoft 365 Apps Via the SketchUp 3D Library - Part 2 Kai Lu\" \/>\n<meta property=\"og:description\" content=\"Introduction In Part 1 of this series, we\u2019ve demonstrated how […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/\" \/>\n<meta property=\"og:site_name\" content=\"JHC\" \/>\n<meta property=\"article:published_time\" content=\"2023-12-06T08:54:20+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/11\/zscaler-logo-og-s4HOj1.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"628\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/\"},\"author\":{\"name\":\"\",\"@id\":\"\"},\"headline\":\"ThreatLabz Discovers 117 Vulnerabilities in Microsoft 365 Apps Via the SketchUp 3D Library – Part 2 Kai Lu\",\"datePublished\":\"2023-12-06T08:54:20+00:00\",\"dateModified\":\"2023-12-06T08:54:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/\"},\"wordCount\":2973,\"publisher\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/11\/zscaler-logo-og-s4HOj1.jpeg\",\"articleSection\":[\"Zenith: Zscaler\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/\",\"url\":\"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/\",\"name\":\"ThreatLabz Discovers 117 Vulnerabilities in Microsoft 365 Apps Via the SketchUp 3D Library - Part 2 Kai Lu - JHC\",\"isPartOf\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/11\/zscaler-logo-og-s4HOj1.jpeg\",\"datePublished\":\"2023-12-06T08:54:20+00:00\",\"dateModified\":\"2023-12-06T08:54:20+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/#primaryimage\",\"url\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/11\/zscaler-logo-og-s4HOj1.jpeg\",\"contentUrl\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/11\/zscaler-logo-og-s4HOj1.jpeg\",\"width\":1200,\"height\":628},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jacksonholdingcompany.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"ThreatLabz Discovers 117 Vulnerabilities in Microsoft 365 Apps Via the SketchUp 3D Library – Part 2 Kai Lu\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/#website\",\"url\":\"https:\/\/jacksonholdingcompany.com\/\",\"name\":\"JHC\",\"description\":\"Your Business Is Our Business\",\"publisher\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jacksonholdingcompany.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/#organization\",\"name\":\"JHC\",\"url\":\"https:\/\/jacksonholdingcompany.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png\",\"contentUrl\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png\",\"width\":452,\"height\":149,\"caption\":\"JHC\"},\"image\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"ThreatLabz Discovers 117 Vulnerabilities in Microsoft 365 Apps Via the SketchUp 3D Library - Part 2 Kai Lu - JHC","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/","og_locale":"en_US","og_type":"article","og_title":"ThreatLabz Discovers 117 Vulnerabilities in Microsoft 365 Apps Via the SketchUp 3D Library - Part 2 Kai Lu","og_description":"Introduction In Part 1 of this series, we\u2019ve demonstrated how […]","og_url":"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/","og_site_name":"JHC","article_published_time":"2023-12-06T08:54:20+00:00","og_image":[{"width":1200,"height":628,"url":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/11\/zscaler-logo-og-s4HOj1.jpeg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/#article","isPartOf":{"@id":"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/"},"author":{"name":"","@id":""},"headline":"ThreatLabz Discovers 117 Vulnerabilities in Microsoft 365 Apps Via the SketchUp 3D Library – Part 2 Kai Lu","datePublished":"2023-12-06T08:54:20+00:00","dateModified":"2023-12-06T08:54:20+00:00","mainEntityOfPage":{"@id":"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/"},"wordCount":2973,"publisher":{"@id":"https:\/\/jacksonholdingcompany.com\/#organization"},"image":{"@id":"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/#primaryimage"},"thumbnailUrl":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/11\/zscaler-logo-og-s4HOj1.jpeg","articleSection":["Zenith: Zscaler"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/","url":"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/","name":"ThreatLabz Discovers 117 Vulnerabilities in Microsoft 365 Apps Via the SketchUp 3D Library - Part 2 Kai Lu - JHC","isPartOf":{"@id":"https:\/\/jacksonholdingcompany.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/#primaryimage"},"image":{"@id":"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/#primaryimage"},"thumbnailUrl":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/11\/zscaler-logo-og-s4HOj1.jpeg","datePublished":"2023-12-06T08:54:20+00:00","dateModified":"2023-12-06T08:54:20+00:00","breadcrumb":{"@id":"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/#primaryimage","url":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/11\/zscaler-logo-og-s4HOj1.jpeg","contentUrl":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/11\/zscaler-logo-og-s4HOj1.jpeg","width":1200,"height":628},{"@type":"BreadcrumbList","@id":"https:\/\/jacksonholdingcompany.com\/threatlabz-discovers-117-vulnerabilities-in-microsoft-365-apps-via-the-sketchup-3d-library-part-2-kai-lu\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jacksonholdingcompany.com\/"},{"@type":"ListItem","position":2,"name":"ThreatLabz Discovers 117 Vulnerabilities in Microsoft 365 Apps Via the SketchUp 3D Library – Part 2 Kai Lu"}]},{"@type":"WebSite","@id":"https:\/\/jacksonholdingcompany.com\/#website","url":"https:\/\/jacksonholdingcompany.com\/","name":"JHC","description":"Your Business Is Our Business","publisher":{"@id":"https:\/\/jacksonholdingcompany.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jacksonholdingcompany.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jacksonholdingcompany.com\/#organization","name":"JHC","url":"https:\/\/jacksonholdingcompany.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/","url":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png","contentUrl":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png","width":452,"height":149,"caption":"JHC"},"image":{"@id":"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/posts\/1869","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/comments?post=1869"}],"version-history":[{"count":0,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/posts\/1869\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/media\/1768"}],"wp:attachment":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/media?parent=1869"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/categories?post=1869"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/tags?post=1869"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}