Microsoft has implemented a significant security measure by disabling the File Explorer preview pane for files located in the “Downloads” folder. This proactive change directly addresses a vulnerability that could be exploited by attackers to steal Windows NTLM credentials, enhancing the overall security of the operating system.

Understanding the Security Measure

The modification made by Microsoft specifically targets the preview functionality within File Explorer, a feature that allowed users to view the content of various file types—such as images, documents, and media—without opening them fully. This convenience, however, presented a critical security risk when applied to untrusted files. Microsoft’s action to disable this specific preview feature for all items within the Downloads folder is a direct and targeted response to identified threats, aiming to bolster the security posture of Windows operating systems against sophisticated credential theft attempts.

Protecting Against Credential Theft

The primary motivation behind this update is to prevent NTLM credential theft attacks. Attackers exploited a mechanism where specially crafted malicious files, when merely previewed in File Explorer, would automatically attempt to initiate an NTLM authentication request. This request, if successful, could transmit a user’s hashed NTLM credentials to an attacker-controlled server, potentially leading to unauthorized access to network resources or sensitive data. By removing the preview pane functionality for downloaded files, Microsoft has effectively closed this specific attack vector, preventing such credential harvesting schemes from executing simply through a preview action. This immediate enhancement represents a tangible step in securing user data and system integrity against known exploitation methods.

Source: https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-preview-pane-for-downloads-to-block-ntlm-theft-attacks/