Back to Blog

Microsoft's March Update Fixed 79 Vulnerabilities. One of Them Lets Copilot Leak Your Data.

Every month, Microsoft ships a batch of security updates. Most months it's background noise. This month is different, and if you're running Windows or using Microsoft 365 Copilot, you should know what's in this one.

On March 10th, Microsoft released its monthly Patch Tuesday update fixing 79 security vulnerabilities across Windows and Office.[1] Two of them were zero-days, meaning the vulnerability details were already public before the fix shipped. That matters because it gives attackers a head start. Once the details are out there, it's only a matter of time before someone builds an exploit around them.

Most of those 79 flaws fall into the "annoying but manageable" category. But one in particular stands out.

The One That Should Actually Worry You

CVE-2026-26144 is a critical vulnerability in Microsoft Excel that affects Copilot's Agent mode.[2] Here's the short version: an attacker who exploits it can cause your Microsoft 365 Copilot to quietly send your data to an unintended destination. And it doesn't require you to click anything. Microsoft's own description calls it a "zero-click information disclosure attack" that causes "unintended network egress." That's a technical way of saying your files can walk out the door without you opening an attachment, approving a prompt, or doing anything at all.

If your business has adopted Microsoft 365 Copilot, this update is not something you can defer until next week.

A PrintNightmare Flashback

There's also a Windows Print Spooler flaw (CVE-2026-26129) that security researchers are comparing to PrintNightmare,[3] the 2021 vulnerability that let attackers take control of systems through the print queue. PrintNightmare was a mess. It affected almost every Windows machine, it was easy to exploit, and organizations were scrambling to patch it for months. This new one isn't confirmed as actively exploited yet, but the pattern is similar enough that the comparison is showing up in every major security publication right now. That's not something to ignore.

The two zero-days are a SQL Server privilege escalation bug and a .NET denial-of-service flaw that can remotely crash .NET-based applications. Neither one is confirmed as being actively used in attacks yet. "Publicly disclosed" is the step before "actively exploited in the wild," and historically that gap closes faster than most IT teams expect.

Windows 10 Is on Borrowed Time

One detail worth noting from this patch cycle: Windows 10, which Microsoft officially ended support for in October 2025, still received patches covering 48 of the 84 vulnerabilities fixed this month.[4] That's both good news and a warning sign. Good because you're still getting some protection. A warning because Microsoft won't keep doing this forever, and when it stops, every unpatched flaw becomes a permanent open door.

We've been helping clients move to Windows 11 over the past several months. It's a straightforward process when it's planned. It becomes a headache when you're forced into it by a hardware failure or a security incident.

What You Should Actually Do

Open Windows Update on every machine in your office and make sure this month's patches are applied. If you run a server environment, check your SQL Server and SharePoint installations separately. If you have Microsoft 365 Copilot deployed across your team, treat the Excel/Copilot patch as urgent.

Most small businesses don't have a patch management process. They rely on Windows Update running automatically in the background and hope it works. Sometimes it does. Sometimes machines haven't rebooted in three months, updates are queued but never installed, and nobody knows. That's a real scenario we see regularly.

Patching is genuinely the most basic, highest-return security practice that exists. It's not glamorous, but it works. A huge percentage of successful breaches exploit vulnerabilities that had patches available for weeks or months before the attack. The attackers aren't usually finding novel zero-days. They're walking through doors that were left open.

If keeping up with monthly patch cycles sounds like a part-time job, that's because it kind of is. It's also exactly the kind of thing a managed IT provider handles so you don't have to think about it.