CVE-2024-9728: 
Trimble SketchUp Viewer vulnerability analysis and mitigation

Trimble SketchUp Viewer contains a use-after-free vulnerability in the parsing of SKP files (CVE-2024-9728). The vulnerability was discovered and reported to the vendor on May 1, 2024, by Mat Powell of Trend Micro Zero Day Initiative. After multiple follow-ups and no patch being released, it was publicly disclosed as a zero-day vulnerability on November 12, 2024 (ZDI Advisory).

The vulnerability exists within the parsing of SKP files in Trimble SketchUp Viewer version 22.0.316.0. The specific flaw results from the lack of validating the existence of an object prior to performing operations on it, leading to a use-after-free condition (CWE-416). The vulnerability has received a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD, ZDI Advisory).

If successfully exploited, this vulnerability allows remote attackers to execute arbitrary code on affected installations of Trimble SketchUp Viewer. The code execution occurs in the context of the current process, potentially leading to full system compromise with the privileges of the affected process (ZDI Advisory).

Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application. As of the disclosure date, no official patch has been released by the vendor (ZDI Advisory).