MICROSOFT IS continuing its ‘October Update Horribilus’ with the discovery that a security hole in the Universal Windows Platform gave full file system access to apps.
In other words, it had the potential to let a bad app do whatever it wanted with your data, and because it didn’t ask for permissions, you’d never even know.
The issue comes from a permission in the system called broadFileSystemAccess. It’s the key to the drinks cabinet, so to speak.
Not only was this enabled in the Windows Universal framework (you may know it as ‘Tiled’ or ‘Metro’) but in the latest version of Windows – 1809 or October 2018 or ‘oh god, what did we miss, NOW?’, the flag to make Windows confirm it was ok to give all this shiny permission wasn’t activated, and it all got a bit Order 66.
But Bleeping Computer points out that the problem runs deeper. The broadFileSystemAccess isn’t given out willy-nilly. Developers are supposed to explain to Microsoft why they need it, and Microsoft tells them whether that’s ok.
The dev documents explain: “Access is configurable in Settings > Privacy > File system. If you submit an app to the Store that declares this capability, you will need to supply additional descriptions of why your app needs this capability, and how it intends to use it.”
Microsoft, points out Bleeping Computer, doesn’t have a stellar record on this, in recent times, raising questions over the quality of the vetting procedure for the Windows Store right now.
And of course there’s a world of shudda-wudda-cudda about how it could have infected millions of machines and it could have been a disaster, but the fact is it didn’t. But it could have. But it didn’t.
But it’s just one more thing for Microsoft to take back to the lab as it dissects what went so spectacularly wrong with its latest Windows-as-a-Service update. μ
Source : Inquirer