- Microsoft’s latest Patch Tuesday release fixes 83 bugs
- Including an Excel flaw that enables AI-powered zero-click data theft
- Update is encouraged to block exfiltration via Copilot assistant
The March 2026 Patch Tuesday release from Microsoft has fixed a serious vulnerability in Excel that combines good old cross-site scripting (XSS) with indirect prompt injection for data exfiltration via Artificial Intelligence (AI).
As AI gave an old vulnerability a new twist, some security researchers described it as “fascinating” – and being a “zero-click” attack didn’t help either.
In its security advisory, Microsoft described the flaw as an “improper neutralization of input” vulnerability that occurs during web page generation, allowing unauthorized attackers to reveal information over a network. It is now tracked as CVE-2026-26144 and given a severity rating of 7.5/10 (high).
The article continues below
Patches and workarounds
The error concerns Excel improperly neutralizing the input. Normally, when a threat actor sends an Excel file containing a malicious link or similar, the program should neutralize this input by removing the link or deleting malicious content. However, since the program does not do this properly, the input may be executed even though the victim does not actually open the file, but rather just views it in the preview pane.
Now we add AI to the mix. Newer versions of Excel come with Microsoft’s GenAI assistant, Copilot. If the malicious input asks the AI to exfiltrate sensitive data to a third-party server, and Excel doesn’t neutralize it in time, the task can be performed even from the preview pane.
The best way to do that is to simply deploy the update. But if you can’t do it right away, you can limit outbound traffic from Office applications and keep a close eye on network requests from Excel processes. Disabling the Copilot Agent could also help.
While this bug grabbed all the headlines, it’s not the only one addressed in this month’s patch. In fact, Microsoft cleaned up a total of 83 vulnerabilities, including eight that the software maker considered critical.
Via The register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
