Microsoft 365 Vulnerabilities Discovered
A team of cybersecurity researchers from Zscaler has uncovered over a hundred vulnerabilities in Microsoft 365. These vulnerabilities were introduced with the integration of SketchUp into the cloud productivity suite. What’s even more concerning is that the researchers claim to have bypassed the patches released by Microsoft to address these flaws.
The Impact of SketchUp Integration
SketchUp is a program that allows users to add 3D models to Microsoft documents. It was first introduced in August 2000 and later integrated into Microsoft 365’s Office 3D component. By reverse engineering the Office 3D components, the researchers discovered a total of 117 vulnerabilities in Microsoft 365 apps. These vulnerabilities are attributed to the support for SketchUp 3D files (SKP) and include heap buffer overflow, out-of-bounds write, and stack buffer overflow vulnerabilities.
Bypassed Solutions
Microsoft categorized these vulnerabilities as “remote code execution” (RCE) and grouped them into three CVEs: CVE-2023-28285, CVE-2023-29344, and CVE-2023-33146. All three are labeled as “high severity” with a severity score of 7.8. Zscaler’s senior principal security researcher, Kai Lu, stated that there is currently no evidence of these vulnerabilities being exploited in the wild. However, he emphasized that skilled threat actors could potentially discover and weaponize these vulnerabilities at any time.
Microsoft’s Response
Microsoft temporarily disabled support for SketchUp after the researchers managed to bypass the patches. The company created a patch to address the vulnerabilities but did not provide further details. Microsoft assured its customers that they have been protected since June when the SketchUp feature was temporarily disabled. Customers are advised to check SketchUp’s status on Microsoft’s dedicated page for updates.
Conclusion
While the vulnerabilities discovered by Zscaler have not been exploited yet, the potential for skilled threat actors to weaponize them remains a concern. Microsoft’s swift response in disabling SketchUp support and releasing patches demonstrates their commitment to addressing these vulnerabilities. It is crucial for Microsoft 365 users to stay updated with the latest security measures and patches to ensure the protection of their data and systems.
Photo: Freepik.com
