CVE-2024-9720: 
Trimble SketchUp Viewer vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2024-9720) has been identified in Trimble SketchUp Viewer's SKP file parsing functionality. The vulnerability was discovered and reported by Mat Powell of Trend Micro Zero Day Initiative on May 1, 2024. This out-of-bounds read vulnerability affects installations of Trimble SketchUp Viewer version 22.0.316.0 (NVD, ZDI Advisory).

The vulnerability stems from improper validation of user-supplied data during the parsing of SKP files, which can result in a read operation past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-125 (Out-of-bounds Read) (ZDI Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process on affected installations of Trimble SketchUp Viewer. The high CVSS score indicates potential severe impacts on system confidentiality, integrity, and availability (NVD).

Given the nature of the vulnerability, the primary mitigation strategy is to restrict interaction with the application. As of November 12, 2024, no vendor patch has been released despite multiple follow-ups from ZDI on September 6 and September 23, 2024 (ZDI Advisory).