Security teams should implement comprehensive defenses, including disabling preview panes in Windows Explorer and Quick Look on macOS, blocking outbound SMB traffic (TCP 445) to untrusted networks, and enforcing macro blocking through Group Policy. Foundational payloads include malicious LNK files with UNC icon paths that cause Windows Explorer to initiate NTLM authentication when browsing folders, and RTF files containing INCLUDEPICTURE field injections that fetch remote resources during preview. The vulnerability affects Windows Explorer Preview Pane, macOS Quick Look, email client preview systems, and file indexing services, including Windows Search Indexer and Spotlight. The vulnerability enables multiple attack vectors, including reconnaissance through passive beacons, credential theft via NTLMv2 harvesting, and remote code execution through preview-based macro execution. These systems process files in memory, often invoking registered preview handlers that can trigger malicious code execution. Unlike traditional phishing campaigns that rely on users clicking malicious links or opening infected attachments, RenderShock leverages built-in system automation features to achieve compromise through legitimate background processes. Uses malicious LNK files, PDFs, and Office documents to trigger NTLM theft and code execution. Advanced techniques involve polyglot file formats that confuse multiple parsers, remote template injection in Office documents without macros, and poisoned ICC color profiles in images. RenderShock attacks exploit file preview systems without requiring user interaction. Enables credential harvesting and remote access; requires disabling preview panes and blocking SMB traffic.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 14 Jul 2025 13:15:13 +0000