\n<\/p>\n
Microsoft this week introduced that the preview function is now disabled in Home windows\u2019s File Explorer for information downloaded from the web, as an extra safety in opposition to NTLM hash leaks.<\/strong><\/p>\n The change, rolled out as a part of the October 2025 Patch Tuesday<\/a> safety updates, applies to all information which might be marked with Mark of the Net (MotW).<\/p>\n Home windows provides the MotW to information fetched through browser downloads or electronic mail attachments and warns customers of the potential threat these information pose. For Workplace information, the system blocks macros, which may include malicious code.<\/p>\n By disabling the preview of information downloaded from the web, Microsoft seeks to forestall a safety defect resulting in NTLM hash leaks when a probably unsafe file is previewed. Attackers can brute-force the leaked hash to retrieve a person\u2019s password, or may mount relay assaults.<\/p>\n \u201cThis variation mitigates a vulnerability the place NTLM hash leakage may happen if customers preview information containing HTML tags (reminiscent of The corporate doesn’t say which flaw it tackles, however it seems that it might be CVE-2025-59214, which is described as a File Explorer spoofing difficulty and will enable attackers to leak delicate info over the community.<\/p>\n The bug is a bypass for CVE-2025-50154, which in flip is a bypass for CVE-2025-24054, a zero-click NTLM credential leakage vulnerability that Microsoft tried to resolve in March<\/a>. CVE-2025-24054 has been exploited within the wild<\/a>, together with in opposition to authorities and personal establishments in Poland and Romania.<\/p>\n The unique bug might be triggered through malicious .library-ms information positioned inside a ZIP archive. When the person extracted the archive, Home windows initiated an SMB authentication request to a distant server, leaking the NTLM hash.<\/p>\n