Microsoft’s busy October continues. We’ve had the end of Windows 10, multiple fails and two emergency Windows updates, Teams privacy and security warnings, and now a new alert for Windows 11 users that file previews are suddenly blocked.
Microsoft confirms that starting Oct. 14, “File Explorer automatically disables the preview feature for files downloaded from the internet.” This is only for files you’ve downloaded online, those with a “Mark of the Web (MotW).”
The Windows-maker says such files are vulnerable to “NTLM hash leakage” where files contain “HTML tags (such as <link>, <src>, and so forth) referencing external paths. Attackers could exploit this preview feature to capture sensitive credentials.”
That’s why Microsoft has deemed all such files potentially “unsafe,” unless and until you unblock them by right-clicking to open a file’s Properties settings.
The risk seems quite specific, and so it should have been possible to block files with more specific attributes or better sandbox the preview function. What we have instead seems extreme. It risks impacting users or seeing them too readily unblock files.
The greater threat is that the bypass when you receive an alert is to open the file, but only — Microsoft says — “if you trust the file and the source you received it from.” That seems high-risk and doesn’t address the problem.
This change will happen automatically. “No action is needed to benefit from this security enhancement. Existing workflows remain unaffected unless previewing files downloaded from the internet.” Which is quite the catch-all.
Microsoft does say “the change might not take effect immediately but will be effective after the next login,” and also says you can unblock all files from. an file share address. Albeit, doing so “will relax the security posture for all files from the listed file share.”