Back

Microsoft Enhances Security by Restricting desktop.ini File Processing

Severity: Medium (Score: 57.8)

Sources: Feeds.4Sysops, Neowin

Published: 2026-06-11 · Updated: 2026-06-11

Keywords: windows, updates, microsoft, kb5094126, june, kb5093998, desktop

Severity indicators: critical

Summary

On June 11, 2026, Microsoft released Patch Tuesday updates (KB5094126, KB5093998) for Windows 11 versions 23H2, 24H2, and 25H2, which introduced security measures that restrict the processing of desktop.ini files. This change aims to mitigate the risk of attackers exploiting malformed desktop.ini files to trigger memory corruption or execute arbitrary code. The updates affect users who utilize custom folder presentations, as these will no longer be displayed if deemed untrusted. The security hardening targets files downloaded from the internet and those stored in untrusted network locations. Microsoft has provided guidance for users to manage this behavior, including marking folders as trusted or reverting to previous settings. This update is part of ongoing efforts to enhance the security posture of Windows operating systems against potential exploitation vectors. Key Points: • Microsoft's June 2026 updates restrict desktop.ini file processing to enhance security. • The changes aim to prevent exploitation through malformed configuration files. • Affected systems include Windows 11 versions 23H2, 24H2, and 25H2.

Detailed Analysis

**Impact** Windows 11 users across versions 23H2, 24H2, and 25H2, as well as Windows 10 22H2, are affected by the update changes. The modification impacts folder customization features relying on desktop.ini files, potentially disrupting user experience in environments where these files are used extensively. Organizations with network shares or remote file sources may experience operational impacts due to blocked folder customizations. No specific sectors, geographies, or data breach incidents are detailed in the sources. **Technical Details** The vulnerability involves the Windows Shell component automatically processing desktop.ini files, which can be exploited via specially crafted configuration files to trigger buffer overflow and arbitrary code execution. Attackers could place malicious desktop.ini files on network or remote locations, exploiting untrusted sources such as files marked with Mark-of-the-Web (MOTW) or from WebDAV/HTTP paths. No CVE identifiers or specific malware/tools are mentioned. The attack vector is local file processing during folder browsing, corresponding to the exploitation stage of the kill chain. **Recommended Response** Apply the June 2026 Patch Tuesday updates: KB5094126 for Windows 11 25H2/24H2, KB5093998 for Windows 11 23H2, and KB5094127 for Windows 10 22H2. For trusted internal sources, add them to the Trusted Sites list to allow normal processing of desktop.ini files. Organizations requiring legacy behavior can enable the Group Policy “Allow the use of remote paths in file shortcut icons.” Additionally, verify and remove Mark-of-the-Web (MOTW) from desktop.ini files where appropriate. Monitor for unusual folder customizations and network file access patterns.

Source articles (2)

  • Windows June 2026 updates restrict desktop.ini files to enhance security — Feeds.4Sysops · 2026-06-11
    Microsoft introduced new security restrictions for desktop.ini files in the June 2026 Patch Tuesday updates for Windows 11 versions 23H2, 24H2, and 25H2. These updates, specifically KB5094126 and KB50…
  • Microsoft: Windows 11 KB5094126, KB5093998 finally stops trusting a critical system threat — Neowin · 2026-06-11
    This week Microsoft released the Patch Tuesday updates for June 2026 with KB5094126 on Windows 11 25H2, 24H2, and KB5093998 on Windows 11 23H2. On Windows 10 22H2 it's under KB5094127 . Alongside the…

Timeline

  • 2026-06-11 — Microsoft releases June 2026 Patch Tuesday updates: Updates KB5094126 and KB5093998 for Windows 11 introduce restrictions on desktop.ini files to enhance security.
  • 2026-06-11 — Security measures against desktop.ini exploitation announced: Microsoft confirms that custom folder presentations will not appear if deemed untrusted, as part of security hardening efforts.

Related entities

  • CWE-120 - Classic Buffer Overflow (Cwe)
  • Cwe-122 - Heap-based Buffer Overflow (Cwe)
  • network.so (Domain)
  • Windows (Platform)
  • Windows 10 (Platform)
  • Windows 11 (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed