- Microsoft’s latest Patch Tuesday release fixes 83 flaws
- Including an Excel bug that enables AI-driven zero-click data theft
- Update recommended to block exfiltration via the Copilot assistant
Microsoft’s March 2026 Patch Tuesday patched a high-severity vulnerability in Excel that combines good old cross-site scripting (XSS) with indirect prompt injection for data exfiltration via artificial intelligence (AI).
Since AI put a new spin on an old vulnerability, some security researchers have described it as “fascinating” – and the fact that it’s a “no-click” attack hasn’t helped either.
In its security advisory, Microsoft described the bug as an “improper input neutralization” vulnerability that occurs when web pages are generated, allowing unauthorized attackers to leak information over a network. It is now tracked as CVE-2026-26144 and has received a severity score of 7.5/10 (high).
Article continues below
Fixes and workarounds
The bug concerns Excel which incorrectly neutralizes entries. Usually, when a malicious actor sends an Excel file containing a malicious link or similar, the program must neutralize this entry by removing the link or removing the malicious content. However, because the program does not do this correctly, the entry may be executed even if the victim does not actually open the file, but simply views it in the preview pane.
Now we add AI to the mix. Newer versions of Excel come with Microsoft’s GenAI assistant, Copilot. If the malicious input asks the AI to exfiltrate sensitive data to a third-party server and Excel does not neutralize it in time, the task can be executed even from the preview pane.
The best way to do this is to simply deploy the update. However, if you cannot do this immediately, you can restrict outgoing traffic from Office applications and closely monitor network requests from Excel processes. Disabling the Copilot agent might also help.
While this bug has made headlines, it’s not the only one being fixed in this month’s patch. In fact, Microsoft cleaned up a total of 83 vulnerabilities, including eight that the software company deemed critical.
Via The register
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
