{"id":15934,"date":"2026-03-10T23:38:15","date_gmt":"2026-03-10T23:38:15","guid":{"rendered":"https:\/\/newestek.com\/?p=15934"},"modified":"2026-03-10T23:38:15","modified_gmt":"2026-03-10T23:38:15","slug":"march-patch-tuesday-three-high-severity-holes-in-microsoft-office","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15934","title":{"rendered":"March Patch Tuesday: Three high severity holes in Microsoft Office"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Three high severity holes in Microsoft\u2019s Office suite headline the 78 issues listed in the March Patch Tuesday releases, which, grateful CSOs will notice, contain no surprise zero day vulnerabilities.<\/p>\n

Still, Jack Bicer<\/a>, director of vulnerability research at Action1, says these Office-related flaws should be treated \u201cwith urgency.\u201d<\/p>\n

\u201cProductivity tools remain one of the most common entry points for attackers,\u201d he explained, \u201cand vulnerabilities that can be triggered through routine document handling continue to expand the attack surface inside corporate networks.\u201d<\/p>\n

One of the most notable of the three issues, he said, is the Excel Information Disclosure Vulnerability (CVE-2026-26144<\/a>). This flaw stems from improper neutralization of input during web page generation, also known as cross-site scripting. The vulnerability allows an attacker to trigger unintended outbound network communication that could leak sensitive information.<\/p>\n

The attack requires network access, Microsoft says, but no user interaction or privileges. An attacker could deliver specially crafted content that, when Excel processes it, would initiate data exfiltration without triggering alerts. That\u2019s dangerous, because Excel files often contain sensitive corporate data.<\/p>\n

\u201cA particularly concerning aspect is the potential interaction with Copilot Agent mode,\u201d Bicer said in an email, \u201cwhere automated processes could transmit sensitive data without direct user involvement. Even without confirmed exploitation in the wild, the possibility of silent data exfiltration from spreadsheets containing financial, operational, or intellectual property data represents a meaningful risk to organizations that rely heavily on Excel driven workflows.\u201d<\/p>\n

As of today, the hole hasn\u2019t been exploited.\u00a0<\/p>\n

Action1 says that if patch deployment must be delayed, organizations should restrict outbound network traffic from Office applications and monitor unusual network requests generated by Excel processes. Disabling or limiting AI-driven automation features such as Copilot Agent mode may reduce exposure.<\/p>\n

The second Office hole Bicer drew attention to is a remote code execution vulnerability (CVE 2026-26113<\/a>) caused by Office improperly handling memory pointers. This will allow an attacker to manipulate how the application accesses memory. Successful exploitation could allow the attacker to run code on the affected system with the same privileges as the current user. Admins should note that the Preview Pane can serve as an attack vector, so exploitation may occur simply by viewing a malicious file.<\/p>\n

This bug carries a CVSS score of 8.4. As of today, there are no known public exploits or proofs-of-concept.<\/p>\n

There\u2019s also a separate Office remote code execution vulnerability (CVE-2026-26110<\/a>) that introduces risk through a type confusion flaw that results from improper handling of incompatible data types in memory. Like the previous vulnerability, Bicer said, exploitation can occur through document previewing, and could allow attackers to run malicious code with the privileges of the logged-in user. \u201cThese vulnerabilities highlight how everyday document handling activities can quickly become pathways for system compromise,\u201d he said.<\/p>\n

\u201cFrom a business perspective, vulnerabilities that enable code execution or data disclosure through widely used productivity software present significant operational risk,\u201d Bicer added. \u201cOffice documents are routinely exchanged across email, collaboration platforms, and shared repositories, making them a common delivery mechanism for phishing campaigns and targeted attacks. If exploited, these vulnerabilities could allow attackers to deploy malware, steal sensitive information, establish persistent access, or move laterally through corporate networks. The Preview Pane attack vector is particularly concerning because it reduces the need for user interaction and increases the likelihood of accidental exposure.\u201d<\/p>\n

Bicer said for this Patch Tuesday, strategic focus should include rapid patch deployment for Office environments, monitoring for unusual outbound network activity originating from Office applications, and limiting automated data sharing features tied to AI-assisted workflows such as Copilot Agent mode. CISOs should also reinforce controls that reduce document-based attack risk, including disabling Preview Pane where feasible, strengthening email attachment filtering, and increasing endpoint monitoring for abnormal Office process behavior.<\/p>\n

\u201cTaking these steps will reduce the likelihood that routine document interactions become an entry point for attackers seeking to compromise enterprise systems or extract sensitive data,\u201d he said.<\/p>\n

Azure issues<\/h2>\n

Tyler Reguly<\/a>, associate director for security R&D at Fortra, said CSOs should pay close attention to nine Azure vulnerabilities: CVE-2026-23651<\/a> and 26124<\/a> in Azure Compute Gallery;\u00a0 CVE-2026-23660<\/a> in Azure Portal Windows Admin Center; CVE-2026-23661<\/a>, 23662<\/a>, and 23664<\/a> in Azure IoT Explorer, CVE-2026-23665<\/a> in Azure Linux Virtual Machines, CVE-2026-26141<\/a> in Azure Arc; CVE-2026-26118<\/a>, an elevation of privilege vulnerability in Azure Model Context Protocol (MCP) tools, and CVE-2026-26148<\/a> in Azure Entra ID.<\/p>\n

The Entra ID login hole affects Azure Linux virtual machines and is rated of High severity, with a CVSS score of 8.1. It could allow an unauthorized attacker to elevate privileges locally. Azure users need to update the Azure SSH login extension through their Linux distribution\u2019s package manager to install the latest version of the aadsshlogin<\/em> package. Systems with the extension already installed have packages.microsoft.com<\/em> configured automatically, so no additional setup is required.<\/p>\n

\u201cThe cloud ecosystem doesn\u2019t really handle patching well,\u201d Reguly said. \u201cIt\u2019s a relatively immature process, and the way that Microsoft handles these products really demonstrates that. The CVE impacting Azure Linux Virtual Machines (CVE-2026-23665<\/a>) or the multiple CVEs impacting Azure IoT Explorer require pretty non-standard patching mechanisms, and those may require a little additional effort from IT teams. CSOs should ensure that they have solid asset inventories around the deployment of cloud related systems and tools, so that admins know where these things exist and when they need to be fixed. This is the best way to empower your sysadmins and security teams on a quiet month like this,\u201d Reguly said.<\/p>\n

Chris\u00a0Goettl<\/a>, VP of product management at\u00a0Ivanti, noted that an elevation of privilege vulnerability in SQL Server (CVE-2026-21262<\/a>), with a CVSS score of 8.8, is on the list, however,\u00a0it\u00a0has already been publicly disclosed. An attacker who successfully exploited this vulnerability could gain SQL sysadmin privileges. The vulnerability affects SQL Server 2016 and later editions.<\/p>\n

Satnam Narang<\/a>, senior staff research engineer at Tenable, commented on the fix for Azure Model Context Protocol (MCP) tools. \u201cThis bug is a server-side request forgery,\u201d he said in an email, \u201cso an attacker could exploit it by sending a request to a vulnerable Azure MCP Server. But exploitation requires that the server accept user-provided parameters.<\/p>\n

\u201cMCP servers have become extremely popular for connecting large language models and agentic AI applications,\u201d he noted, \u201cand with the rise of tools like OpenClaw and other agents, it has become even more critical to secure these tools from cybercriminals.\u201d<\/p>\n

Good news for admins<\/h2>\n

Nick Carroll<\/a>, cyber incident response manager at Nightwing, spotted what he said is \u201csome incredibly good news. For years, defenders and SOC analysts have relied on Microsoft\u2019s System Monitor (Sysmon) to gain high-fidelity telemetry into process creation, network connections, and file modifications. But because it lived in the external Sysinternals suite, deploying it required manual downloads, custom scripts, and constant maintenance.<\/p>\n

As of the Windows 11 March feature update (KB5079473<\/a>), Sysmon is natively integrated directly into Windows 11 as an optional built-in feature.\u00a0Admins no longer need to package it dynamically. It can be simply enabled programmatically via PowerShell. \u201cCoupled with Microsoft\u2019s simultaneous announcement that Windows Intune will enable hotpatching by default in May 2026, this drastically lowers the barrier to entry for deep endpoint visibility and represents a massive operational win for network defenders,\u201d he said.<\/p>\n

SAP, Google, and other high severity bugs<\/h2>\n

Separately, SAP issued fixes for two critical vulnerabilities, one of which carries a CVSS score of 9.8. That\u2019s SAP Security Note\u00a0#3698553<\/a>, which patches a code injection vulnerability in SAP Quotation Management Insurance application (FS-QUO).\u00a0According to researchers at Onapsis<\/a>, the application uses an outdated artifact of Apache Log4j 1.2.17 that is vulnerable to\u00a0CVE-2019-17571<\/a>. It allows an unprivileged attacker to execute arbitrary code remotely on the server, causing high impact on confidentiality, integrity, and availability of the application.<\/p>\n

The other SAP Security Note,\u00a0#3714585<\/a>, tagged with a CVSS score of 9.1, patches an insecure deserialization vulnerability in SAP NetWeaver Enterprise Portal Administration. Due to missing or insufficient validation during the deserialization of uploaded content, a privileged user is able to upload untrusted or malicious content. Only the fact that an attacker requires high privileges for a successful exploit prevents the vulnerability from being tagged with a CVSS score of 10.<\/p>\n

Other vendors also addressed some high severity issues.<\/p>\n

Apple released security updates for memory corruption in the Dynamic Link Editor used in iPadOS, macOS, tvOS, watchOS and visionsOS.<\/p>\n

Google released security updates for Chrome and the Chromium browser that patch several high severity issues.<\/p>\n

Ivanti flagged two serious bugs in its Endpoint Manager that could let attackers steal credentials or read sensitive data.<\/p>\n

WordPress issued a security update to close a vulnerability that exposes a critical weakness in the WPvivid Backup and Migration plugin. It carries a CVSS score of 9.8.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Three high severity holes in Microsoft\u2019s Office suite headline the 78 issues listed in the March Patch Tuesday releases, which, grateful CSOs will notice, contain no surprise zero day vulnerabilities. Still, Jack Bicer, director of vulnerability research at Action1, says these Office-related flaws should be treated \u201cwith urgency.\u201d \u201cProductivity tools remain one of the most common entry points for attackers,\u201d he explained, \u201cand vulnerabilities that… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15934","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15934","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15934"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15934\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15934"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15934"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15934"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}