Microsoft’s Windows team will likely be glad to see the back of October and will be hoping for a better November. It has been a bad month for Windows 10. The platform’s latest release, the October 2018 Update (version 1809) was pulled after the manual update deleted user files. Microsoft has also had to contend with myriad other bugs and zero-day vulnerabilities.

In fact, the company has quietly fixed a flaw in the Windows 10 that stopped the platform from telling users when apps requested access to all files. It is worth noting the problem has been fixed in version 1809, which is currently on hold on the Windows Insider Program.

The vulnerability occurred in the Windows 10 “BroadFileSystemAccess” API. If exploited by a bad actor developing Universal Windows Platform (UWP) apps, the issue would allow access to all system files. An attacker could have total access to photos, documents, files, and other system areas.

Discovered by .NET developer Sebastian Lachance, the vulnerability tricks the access permissions in UWP apps. Windows applications developed as UWP are restricted to certain system folders by default. However, the user can manually grant permission if the app asks for it.

Gaining Access

If a user is tricked into believing the app is legitimate, they may be willing to hand over access. Microsoft has released documentation; the faulty API was originally intended to give developers ways to make their apps more user-focused.

“This is a restricted capability. On first use, the system will prompt the user to allow access. Access is configurable in Settings > Privacy > File system,” Microsoft notes.

“If you submit an app to the Store that declares this capability. You will need to supply additional descriptions of why your app needs this capability, and how it intends to use it. This capability works for APIs in the Windows.Storage namespace.”

Broken Update

Early adopters of Windows 10 October 2018 Update already contending with the update deleting their files, were also faced with the faulty API possibly allowing third-party system access. Through the process of fixing version 1809, Microsoft has now fixed the problem.

From Task Manager issues, broken ZIP extractions, and deleting personal files through manual updates, the October 2018 Update has been a near complete disaster. Microsoft was forced to pull the update from release. It is recovering now through the Insider program in preview form.

It is truly baffling how Microsoft could have missed such software holes over the 8 months it was previewing the update. Let’s not forget, the whole point of the Insider program is for Microsoft to spot these kinds of problems.