Microsoft’s March 2026 Patch Tuesday fixes 83 flaws, including three critical Office vulnerabilities exploitable through the Preview Pane that allow code execution without opening files, and a Copilot-linked Excel bug that could leak data. The ACSC urges immediate patching under the Essential Eight.
A Western Australian government audit has exposed critical Microsoft 365 security failures across seven state entities, leading to a data breach that leaked information on minors and a separate business email compromise incident resulting in the theft of $71,000 through fraudulent invoices.
Google's March 2026 Android update patches a critical zero-day (CVE-2026-21385) in Qualcomm chips used in hundreds of millions of devices. The flaw, under active exploitation, allows privilege escalation and system compromise, posing a significant risk to users.
Microsoft’s March 2026 Patch Tuesday fixes 83 flaws, including three critical Office vulnerabilities exploitable through the Preview Pane that allow code execution without opening files, and a Copilot-linked Excel bug that could leak data. The ACSC urges immediate patching under the Essential Eight.
Cyber News Centre's cyber update for 11th March 2026: Microsoft has released its March 2026 security update, patching 83 vulnerabilities, including critical remote code execution flaws in Microsoft Office that can be triggered simply by previewing a malicious document.
Update: Microsoft's March 2026 Patch Tuesday addresses 83 vulnerabilities, with three critical flaws in Microsoft Office demanding immediate attention from Australian organisations. Two remote code execution (RCE) vulnerabilities, CVE-2026-26110 and CVE-2026-26113, can be exploited through the Preview Pane in Outlook and other applications. This means an attacker could execute arbitrary code on a target system without the user even opening the malicious Office file. A third critical flaw, CVE-2026-26144, is an information disclosure vulnerability in Microsoft Excel. This bug allows for a zero-click attack where the Copilot AI agent can be manipulated to exfiltrate sensitive data from a spreadsheet across the network.
The update also includes patches for two publicly disclosed zero-day vulnerabilities, a SQL Server elevation of privilege flaw (CVE-2026-21262) and a .NET denial-of-service bug (CVE-2026-26127), though Microsoft reports neither is being actively exploited.
The release is dominated by elevation of privilege flaws, which account for over half of the total patches, highlighting ongoing risks for post-compromise lateral movement within corporate networks. Organisations are urged to prioritise these patches to mitigate significant security risks.
Why it Matters: The critical Office vulnerabilities represent a significant threat to Australian businesses and government agencies, which rely heavily on Microsoft's productivity suite. The Preview Pane attack vector lowers the bar for successful exploitation, as it bypasses the common security advice of not opening attachments from unknown sources.
For organisations using Microsoft's AI-powered Copilot, the CVE-2026-26144 flaw introduces a novel, sophisticated data exfiltration risk that could lead to major data breaches. Given the Australian Cyber Security Centre's (ACSC) Essential Eight framework, which mandates timely patching, these updates are non-negotiable for maintaining a baseline of cyber resilience and compliance.
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
A Western Australian government audit has exposed critical Microsoft 365 security failures across seven state entities, leading to a data breach that leaked information on minors and a separate business email compromise incident resulting in the theft of $71,000 through fraudulent invoices.
Google's March 2026 Android update patches a critical zero-day (CVE-2026-21385) in Qualcomm chips used in hundreds of millions of devices. The flaw, under active exploitation, allows privilege escalation and system compromise, posing a significant risk to users.
Global legal intelligence giant LexisNexis has confirmed a significant cloud data breach after hackers exploited a vulnerable application, exfiltrating 2GB of data. The incident exposed details on enterprise clients, including law firms and government agencies, raising serious supply chain concerns.
Tehran-linked hackers are turning a distant war into a live resilience test for Australia, probing Five Eyes networks as local banks quietly move to high alert while hybrid warfare becomes a “when, not if” cyber disruption scenario.
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
