Microsoft Disables Preview In File Explorer To Block Attacks (bleepingcomputer.com) 44
Slashdot reader joshuark writes: Microsoft says that the File Explorer (formerly Windows Explorer) now automatically blocks previews for files downloaded from the Internet to block credential theft attacks via malicious documents, according to a report from BleepingComputer. This attack vector is particularly concerning because it requires no user interaction beyond selecting a file to preview and removes the need to trick a target into actually opening or executing it on their system.
For most users, no action is required since the protection is enabled automatically with the October 2025 security update, and existing workflows remain unaffected unless you regularly preview downloaded files.
"This change is designed to enhance security by preventing a vulnerability that could leak NTLM hashes when users preview potentially unsafe files," Microsoft says in a support document published Wednesday.
It is important to note that this may not take effect immediately and could require signing out and signing back in.
For most users, no action is required since the protection is enabled automatically with the October 2025 security update, and existing workflows remain unaffected unless you regularly preview downloaded files.
"This change is designed to enhance security by preventing a vulnerability that could leak NTLM hashes when users preview potentially unsafe files," Microsoft says in a support document published Wednesday.
It is important to note that this may not take effect immediately and could require signing out and signing back in.
Or, and stay with me here (Score:5, Informative)
Re: (Score:2)
Agreed, but these ninnies can't create a secure sandbox that is only allowed to spit out an image. The sandbox itself will have sandbox escape vulnerabilities.
Re:Or, and stay with me here (Score:4, Interesting)
use RTX path-tracing approximation (Score:1)
Re:Or, and stay with me here (Score:5, Insightful)
Re: (Score:3, Informative)
The Windows mechanism that recognizes whether a file is trusted or not is broken. I have trusted a file, then deleted that file, and renamed an untrusted file to the name the trusted file had. Then the file opens normally without a warning.
Re: (Score:2)
Was the file on NTFS? On that file system, the zone identifier is stored under an alternate data stream in the filesystem for the file.
OK, it's probably correct on-disk but Windows isn't smart enough to delete things like this from the file cache.
Re: (Score:2)
At which point you don't need the preview. Great that in the absence of properly locking down the code to local data that it will block previews. But the unlock functionality needs to be on the preview panel. Stops casual accidental running of code but lets you do it intentionally. The file properties also have an unblock button.
Re:Or, and stay with me here (Score:4, Interesting)
So they'll save it as an attachment, don't know where they saved it, forget about it and finally previewing it while searching for something completely different.
Re:Or, and stay with me here (Score:4)
You're making a lot of assumptions about how this works, including the theory that you can sandbox it in this way without re-writing the network APIs for windows. Reminder: Preview supports external software, i.e. Windows may not even be responsible for presenting the preview.
Ah, preview! (Score:5, Insightful)
"Preview". Also known as "Let me help you by running this anonymous code without asking or even checking to see it is is suspicious and I won't even give you the chance to decide whether or not to run it!"
"Microsoft considered harmful."
Re: (Score:3)
Y'know, when Microsoft introduced the preview feature, I said "this is a dumb feature, it will only help make attacks much easier".
Now...well, color me surprised. Not.
I could have told them that. Heck, probably their own security experts could have told them that. But security is not the main driver in their UI design (nor is user experience, it seems to me).
Re: (Score:3)
Well, Microsoft created autorun which is even more stupid, so, nothing new.
Re: (Score:2)
Didn't Outlook used to do a preview as well? You would think M$ would learn. I guess not.
This is one of many reasons I try hard to stay away from all M$ products. I used to like them many years ago, but being stabbed in the back and slapped in the face many times has taught me not to trust them with anything. >:^(
Re:Ah, preview! (Score:5, Interesting)
It doesn't "run code". It doesn't need to.
It's not a new issue, just a new instance of it. If you have a file that contains external resources, such as HTML, to preview it you need to load the external resources. Which isn't a vulnerability in itself, but allows you to initiate a new network access request without user action. And Windows will helpfully attempt to log in to the random external server with the username and password of the current local user, which is the real vulnerability.
And the password is hashed, but that provides no real security - the hash effectively is the password and is sent in plain text on the wire.
Re:Ah, preview! (Score:4, Insightful)
So rather than fix that sort of thing, instead they're going to keep track of what's downloaded from the Internet and what isn't, and then avoid preview for some files but not others, based on a decision the user has no way to verify. You've got to wonder why they think that's "better"...?
Preview doesn't need to be the same as "actual view" - just block the external network requests, don't run any 'code' and bail out to say "preview unavailable" if it's all been a bit too difficult. But no, best we don't show a PNG from the Internet, in case it releases the BEAST.
Re: (Score:2)
They already track the zone identifier. So it's almost zero effort to disable preview on that. However, this is the sort of thing where that temporary bandaid becomes the final fix even though it's not necessary.
However, blocking network requests is also only a bandaid for a mechanism that hands out credentials to an unidentified server.
Re: (Score:2)
By the time you're in a position to preview something, 99.9% of the time you've already implicitly trusted the contained code. You have sought that file for a purpose, I presume it's not because you're just a collector of random bits of data and are afraid of an empty drive.
All OSes preview files, including Apple and Linux GUI variants.
Or (Score:5, Insightful)
They could make sure their file preview handlers are secure. Just peer review (I guess if your peers are fellow M$FT employees that may be a problem) and validate the parser line by line use a god damn checklist and various tools that exist for doing this sort of thing. Ensure all inputs to every function are validated for length and types. It's not even that hard, and certainly not impossible, especially for images. I guess something complex like PDF may be harder .. but they don't need to support everything. I mean, if they can't write a trusted parser, maybe they should get out of the OS business? Jesus.
Re: (Score:2)
Re:Or (Score:5, Informative)
Image formats are likely far harder than you think to get correct. I was always impressed by this exploit, carefully written up by Google's project Zero.
https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
The entry point to the exploit was a buffer overflow related to an integer overflow in the calculation. The code does bounds checks just fine as long as the overflow doesn't happen. I know I could have code-reviewed that code a dozen times and not seen the bug (and this code was originally open source and nobody fixed it there either)... ok, now I that know what to look for I probably would. Bottom line: you have to use checked math for just about any code interpreting the file format. A system like Windows supports lots and lots of different image formats, many old and little-used (but still used somewhere so they'll break things if they remove support for it).
This is just for images. Preview functions also preview any file type, including 3rd party ones (and if Microsoft didn't support 3rd party add-ins they likely would get sued for antitrust violations somewhere in the world). One single vulnerability in any of these handlers can cause a problem. The only possible way to handle this is via sandboxing and making damn sure that there are no exploits in the sandboxing code. (I have no idea whether Microsoft sandboxes this code... I would hope so.)
No matter what, this is about defense in depth. Making the user explicitly approve a file downloaded from the internet reduces the attack surface.
Re: (Score:2)
That particular exploit, though highly sophisticated and hard to create, would have been flagged by static and dynamic analysis. Even a basic static analysis tool would have found that the loop can create an overflow.
Re: (Score:3)
THIS. I was flabbergasted when NextCloud wouldn't do previews for security reasons, but freakin' Microsoft?! Also, this isn't something that needs network or file access, just take some memory range and spit out some results in another buffer (which should be controllable, as big as a bitmap thumbnail would be), with all the features in modern CPU/OSes can't we isolate this well enough?
This part from TFA is min
Re: (Score:2)
They could make sure their file preview handlers are secure. Just peer review (I guess if your peers are fellow M$FT employees that may be a problem) and validate the parser line by line use a god damn checklist and various tools that exist for doing this sort of thing. Ensure all inputs to every function are validated for length and types. It's not even that hard, and certainly not impossible, especially for images. I guess something complex like PDF may be harder .. but they don't need to support everything. I mean, if they can't write a trusted parser, maybe they should get out of the OS business? Jesus.
These are the same guys who decided knowing what file extension something has was a bad thing.
Re: So ... (Score:1)
Wait! (Score:3)
So how has Apple been doing this for the past 40 years?
Re: (Score:2)
Apple has problems too. See https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
And I am sure if you look into Linux code you'll find code that is just as vulnerable.
Removing the ability to preview a file before the user explicitly oks it is just defense in depth. As I said in my related post, code associated with image file formats are not trivial to validate. And preview is used for 3rd-party formats, which means 3rd-party code.
I believe Apple mitigated this particular attac
Re: (Score:2)
Insecurely. This has been a problem across all OSes. There have been exploits in open source implementations too.
fucked up (Score:4, Interesting)
When your preview function can compromise the user, you know that you've fucked up. Again. Why is anyone trusting MickeySoft with their business secrets? I'll never understand that. They are literally known for making insecure crap.
I guess the "features over everything" attitude somehow does vibe with the right market segment. Which I fear has influence on purchasing decisions far beyond what their competence justifies.
Re: (Score:1)
Why is anyone trusting MickeySoft with their business secrets?
It's inertia, largely from government, but also institutionally. When businesses originally adopted Windows (3.x) there was a massive cost difference between Windows and anything else capable of doing the job of allowing users to run business applications, and in many cases the software simply wasn't there. Putting everyone on a Unix workstation would have cost 3x as much or more, even if the software existed. Putting them on X terminals and using centralized systems to support those would not have saved an
Re: fucked up (Score:2)
Lol mickeysoft dildos with mod points
Re: (Score:2)
When your preview function can compromise the user, you know that you've fucked up. Again. Why is anyone trusting MickeySoft with their business secrets?
This has literally been a problem for every OS. Previewing files is much harder than armchair engineers from the peanut gallery will ever care to understand.
Microsoft disables explorer in explorer in win11 (Score:5, Interesting)
When you load an Explorer window in Windows 10, the window loads and then it loads the stuff that's supposed to be in it. In Windows 11, in an apparent attempt to hide how the sausages are made from the user, it loads the stuff that's supposed to be in it before it draws the window. That way it's usable shortly after it appears. But what happens if you have a network failure? Now the explorer window no longer appears until after the network timeout passes, even if you open e.g. "explorer c:\". This means that you cannot use Explorer to load local resources during a period of network failure without waiting for at least a few minutes. If I want to open a local document I therefore either have to load it from within the application (which itself may have a variation of the same problem related to file dialogs not becoming usable until the network timeout passes) or go find and "start" it with the CLI.
While I'm complaining about stupid by-design fuckups in Windows 11, I used to use Notepad as part of my workflow in Windows 10. Not only does all text appear the same with no formatting, but it strips formatting, so if you paste something into classic notepad and then C&P it out later it goes without any of the text formatting. Sometimes this is exactly what I want. Windows 11's notepad breaks both of these things by supporting RTF, and by having a shitty autosave feature which you cannot disable. You can stop Notepad from loading its prior state on launch, but you CANNOT disable autosave. If a network share goes away while a document is open, NOTEPAD HANGS. If it doesn't come back before the timeout is exceeded, THE DOCUMENT IS UNLOADED. It literally just closes the tab, ALONG WITH YOUR CHANGES.
Microsoft has always been incompetent but this is well beyond the pale. This is beyond amateur hour level bullshit, this is a new low of incompetence even for Microsoft. And since their servers are pathetically fragile and need to be rebooted once a week or more for something simple like file services to even work reliably, this is causing me real life problems which result in less work being done.
Re: (Score:2)
If a network share goes away while a document is open, NOTEPAD HANGS. If it doesn't come back before the timeout is exceeded, THE DOCUMENT IS UNLOADED. It literally just closes the tab, ALONG WITH YOUR CHANGES.
I protect against this by never saving anything I have open in Notepad. I have unsaved files with no filename going back at least 6 months that still open when my computer reboots. It's as usable as Chrome in that respect. Multiple windows with multiple tabs of things I'm sure I'll come back to eventually.
File Manager (Score:3)
Explorer? I still call it File Manager. I never did get on board with that whole "explorer" narrative. They're my files, and I will manage them, not let them run wild so I have to "explore."
That's a good first step (Score:2)
Capabilities-based operating system (Score:2)
This problem doesn't exist if you don't grant every system application excessive access to your computer. A part of a program that makes a preview image of a file doesn't need Internet access for example. But here we are, an operating system designed by people who apparently didn't bother to design a secure architecture despite 4 decades of papers on this very subject.
Simple Firewall Fix (Score:2)