Windows 10 Bug Allowed UWP Apps Full Access to File System

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Older versions of Windows 10 contained a bug that allowed Universal Windows Platform (UWP) apps full access to any file on a user’s computer. As Bleeping Computer explains, UWP apps are normally limited to the app's installation directory and a few data storage locations, but a special permission called broadFileSystemAccess can be used to access the entire filesystem. This is supposed to trigger a settings menu that queries the user for their permission, but due to a “bug,” it was never enforced and would fail to display.

This could have allowed a malicious app to access any data stored on the computer without the knowledge or consent of the user. Lechance discovered this bug after creating an app that utilized the broadFileSystemAccess permission in order to access data in a hard coded “C:\myAppData" location. After upgrading to the October 2018 Update, his app suddenly started crashing on startup. This is because in Build 1809 Microsoft had started to enforce the requirement that users give permission using the Settings page before the broadFileSystemAccess permission is allowed.
 
I liken this to a car seller's nasty problem with a new car owner:

Stop fiddling things under the car hood when I BOUGHT the car!
 
Oh, so the October patch has been re-released? Or did this person get it before MS pulled it back? If they got it early, wonder if the UWP security fix will be in the final release?
 
Hallucinator said:
I liken this to a car seller's nasty problem with a new car owner:

Stop fiddling things under the car hood when I BOUGHT the car!
Click to expand...
Amazing how strong the hate for Windows 10 is, that people will complain when Microsoft fixes a security hole!
 
jardows said:
Amazing how strong the hate for Windows 10 is, that people will complain when Microsoft fixes a security hole!
Click to expand...

Well........ :D Yeah, they finally did fix it but, as much as I do use certain UWP apps everyday, many do not use them at all and therefore, you will here that in this thread, sooner or later. UWP made sense when they had their own Mobile platform but, not as much anymore.
 
jardows said:
Amazing how strong the hate for Windows 10 is, that people will complain when Microsoft fixes a security hole!
Click to expand...
The attitude would have never manifested if they didn't suck at QA, use the end user for testing, and end up patching patches, screwing patches up, and generally pushing crap out before it's ready for mass use.

I'm glad they fix what they do, but get it right first and you don't need to fix it later.
 
jardows said:
Amazing how strong the hate for Windows 10 is, that people will complain when Microsoft fixes a security hole!
Click to expand...
Valid criticisms aren't "hate" so much as long time windows users wishing theyd improve the product. If Windows ultimately fails and dies, we all lose. Microsoft has been allowing major problems to manifest or just slip by. With this UWP issue, the problem is they intentionally opened a backdoor to the entire filesystem that UWP app developers could exploit - and then they didn't bother to make the system ask the users permission first as their documentation said it should. Couple that with MS being so lax on vetting app submissions, and they were basically handing the keys to all your files to any trojan app developer - there was a trojan app allowed in as recently as two weeks ago.

The takeaway is this stuff should not be happening with a software company of MS's stature and resources, and certainly not when they continually tout Windows 10 as "The most secure Windows evarrr" and "UWP is so much more secure than Win32".

Every week there's some new windows 10 drama - and most of it could be avoided with better testing. How is Dona Sarkar still drawing a paycheck?
 
Last edited:
I guess this is how my 79yo grandmother get infected with a virus by playing backgammon from the microsoft store (ads infected with a virus ran in the free to play version).
 
What's amazing is how few come in to defend it these days, of course if it walks like a duck...
 
I wonder how long they will keep with this UWP experiment before killing it off...
 
Win10, lol.

It only got adopted by forcing it on people who couldn't edit the registry to keep it off their systems.

And by 'retiring' security updates for older stuff. :(

It won't be too long until all my win7 machines are forced off the web the same way, and I'll be using linux then to access the web, on a throwaway computer.

M$ is killing themselves slowly and painfully, and I refuse to do their software QC for them.

They could have stuck with fixing XP, but apparently there's no money to be made there.


I'm kinda happy they killed GameSpy now; it forced a bunch of us to get together more, and do Lan Parties again, which kinda died after everyone had broadband.

Modern games are all console ports, and suck.

We played a Q2 marathon session over a weekend a few weeks ago, and everyone is really pumped for thanksgiving, when we get to play for 4 days.

I'm modding City64 for something new; we expect about 30 people. :)
 
jardows said:
Amazing how strong the hate for Windows 10 is, that people will complain when Microsoft fixes a security hole!
Click to expand...

Uh huh. What do they win for fixing major security problem they created in the first place, cash?

What would be the right course of action given that one of their most important features wasn't even working?
"We fixed the"
 
jnemesh said:
I would bet money it does go...Play anywhere is a joke.
Click to expand...

UWP is here to stay at least as an extension of Win32 which technically is what UWP is. While maybe not quite as important without a Windows phone presence, UWP is much better for touch and ink capable apps and dealing with resolution scaling and those things are becoming increasingly important in the 2 in 1 era.
 
jnemesh said:
I would bet money it does go...Play anywhere is a joke.
Click to expand...

Uh huh, if you say so. I suppose someone who has not bothered to..... Honestly, I have no idea why you would consider it a joke. Buying a game once and playing it on anything you own that is an Xbox One or Windows 10 PC is fantastic.
 
PeaKr said:
What's amazing is how few come in to defend it these days, of course if it walks like a duck...
Click to expand...

At this point the subject is beyond old and pretty much irrelevant. Just look that this forum. In reviewing the latest GPUs of the RTX line, the site like all the rest are using Windows 10 most even 1809 even with its issues due to the DXR support. Windows 7 is old, 8.1 never caught on. In the Windows world to use the latest and greatest hardware and software there's Windows 10 and that's it.
 
Who says you have to use Windows store? It's quite easy to disable along with all it's dependant apps, probably going to start doing that now

heatlesssun said:
In the Windows world to use the latest and greatest hardware and software there's Windows 10 and that's it.
Click to expand...
 
SmokeRngs said:
Games for Windows Live would like to have a word with you. Well, it would except that it's dead.
Click to expand...
Not too long ago it was the same people swearing windows mobile wasn't going anywhere, yada yada. Reminiscent of the Japanese soldiers isolated on islands that still believed the war was on long after it ended.
 
Last edited:
dgz said:
Uh huh. What do they win for fixing major security problem they created in the first place, cash?

What would be the right course of action given that one of their most important features wasn't even working?
"We fixed the"
Click to expand...
Seriously, at what point do even the most hardened of MS guys hold Microsoft accountable?

If the very next update just outright formatted your fucking drive you'd still have the same one or two guys defending it with something about "2-in-1's and inking" or "lol your fault if you dont have backup".
 
Last edited:
  • Like
Reactions: dgz
like this
blandead said:
Who says you have to use Windows store? It's quite easy to disable along with all it's dependant apps, probably going to start doing that now
Click to expand...

There are a number of apps in the Store ranging from things like Netflix to Xodo which are quite excellent. If one choses not to use the Store that's their choice but I think most will find it useful for at least a few things especially with a 2 in 1 device.
 
SmokeRngs said:
Games for Windows Live would like to have a word with you. Well, it would except that it's dead.
Click to expand...

Not the same thing nor even close to the same thing. One is an actual functional part of the OS and cross platform infrastructure, one was stand alone and easily dismissed, although that being killed was not good.
 
DPI said:
Not too long ago it was the same people swearing windows mobile wasn't going anywhere, yada yada. Reminiscent of the Japanese soldiers isolated on islands that still believed the war was on long after it ended.
Click to expand...

Except that no one, and I mean no one, claimed that Windows Mobile was not going anywhere..... (Hmmm, must be a pun in there somewhere) Also, the poster that started this Play Anywhere is a joke still has not bothered to explain why this is a joke.
 
DPI said:
Seriously, at what point do even the most hardened of MS guys hold Microsoft accountable?

If the very next update just formatted your fucking drive you'd still have the same one or two guys defending it with something about "2-in-1's and inking" or "lol you should've had backup". Still fighting their imaginary forum war like we're not actually on the same side and just want to see MS return Windows to sanity and make it better.
Click to expand...

Hey, it's not like a Windows update ever bricked my laptop! I don't know what you mean by "hold Microsoft accountable." What do you want us to do? (I know your what your answer would be - switch to Linux, but that is hardly a solution). Microsoft discovered a security flaw in Windows, and fixed it. Happens all the time in all sorts of software. Sometimes it's a bigger flaw than others. Some people are complaining that the flaw should not have existed, I get that. Some people (post #4) are complaining that Microsoft fixed the flaw! I just don't understand the emotional need to pile on hatred towards a tool.
 
ManofGod said:
Uh huh, if you say so. I suppose someone who has not bothered to..... Honestly, I have no idea why you would consider it a joke. Buying a game once and playing it on anything you own that is an Xbox One or Windows 10 PC is fantastic.
Click to expand...

Xbox is a joke, and a failure. It's being outsold 3:1 right now by it's competition and is in 3rd place behind the PS4 and Switch...3rd in a 3 man race. Considering the hoops you have to jump through to even get these games to RUN on a PC, and considering the vulnerabilities that using said software opens your system up to, why would anyone with half a brain even BOTHER with these few pathetic titles when there are literally THOUSANDS of other titles available that don't have the ludicrous restrictions placed on them by Microsoft?

Seriously, TRY and defend this crap! I DARE you!
 
heatlesssun said:
UWP is here to stay at least as an extension of Win32 which technically is what UWP is. While maybe not quite as important without a Windows phone presence, UWP is much better for touch and ink capable apps and dealing with resolution scaling and those things are becoming increasingly important in the 2 in 1 era.
Click to expand...

It's completely irrelevant without Windows Phone, and the dying Xbox division rather emphasizes that as well.
 
jnemesh said:
Xbox is a joke, and a failure. It's being outsold 3:1 right now by it's competition and is in 3rd place behind the PS4 and Switch...3rd in a 3 man race. Considering the hoops you have to jump through to even get these games to RUN on a PC, and considering the vulnerabilities that using said software opens your system up to, why would anyone with half a brain even BOTHER with these few pathetic titles when there are literally THOUSANDS of other titles available that don't have the ludicrous restrictions placed on them by Microsoft?

Seriously, TRY and defend this crap! I DARE you!
Click to expand...

LOL! My opinion this, my opinion that, I guess anyone that is in 3rd should just quit, eh? Essentially, these things you said are strictly your opinion and although you can have one, that does not make it right, except for you personally.

Jump through hoops? You mean purchase, download, run? Oh well...... Also, there are plenty of games in the Play Anywhere list with more to come. I have a steam account and plenty of games there but, tell me, where is the support phone number for Steam? I will wait.........
 
Last edited:
jnemesh said:
Xbox is a joke, and a failure. It's being outsold 3:1 right now by it's competition and is in 3rd place behind the PS4 and Switch...3rd in a 3 man race.
Click to expand...
Microsoft knows they fucked up and have been trying to make things better ever since their disastrous reveal of the console 5 years ago. Play Anywhere and cross-platform are not something a company with market dominance does.
jnemesh said:
Considering the hoops you have to jump through to even get these games to RUN on a PC,
Click to expand...
Getting the games to run is simple: I download them and play.
jnemesh said:
and considering the vulnerabilities that using said software opens your system up to,
Click to expand...
The bug was fixed.
jnemesh said:
why would anyone with half a brain even BOTHER with these few pathetic titles when there are literally THOUSANDS of other titles available that don't have the ludicrous restrictions placed on them by Microsoft?
Click to expand...
Because there are games I want to play that are only available through the Microsoft Store. Despite what some may think, Asetto Corsa is not an alternative to Forza.
jnemesh said:
Seriously, TRY and defend this crap! I DARE you!
Click to expand...
Defend what?
 
Took you shills long enough to chime in, next time step to...

Windows is in a downward spiral and it doesn't look like its going to pull up any time soon, if ever. I've been a windows fanboi for decades, I'm moving on. Linux is awesome, but I'm the type of person who likes taking things apart, figuring out how they work, make it better, faster, I prefer choice. m$ doesn't like these types and choice is being removed, the proof is everywhere like the deprecation of the control panel in lieu of shitty kindergarten tiles and a mile long scroll bar with nonsensical vocabulary. Look at the newer versions of office, what a fuckin insult. And don't give me that horse shit that you can use powershell/group policy because things are being disappeared from there as well.

I still have a windows 10 partition for gaming and a few leftover programs, not a huge fan of Libre Office' UI. m$ has charmed game devs with DirectX but things are changing. nVidia, AMD, Steam are all concerned with the direction m$ is going, not to mention android, and they are making inroads to Linux and m$ is scared, you can tell by the way they're sidling up to Linux. If you can't take over a thing you try and control it.

It doesn't take a genius to understand m$ desire to dump everything you do into their cloud, observe your habits, figure out how to control the what and how of 'YOUR' Personal Computer usage because it's ONLY about $ for them. Those with eyes can see windows is becoming the facebook of operating systems and the lure is convenience, especially for the unwashed masses.
 
PeaKr said:
Took you shills long enough to chime in, next time step to...

Windows is in a downward spiral and it doesn't look like its going to pull up any time soon, if ever. I've been a windows fanboi for decades, I'm moving on. Linux is awesome, but I'm the type of person who likes taking things apart, figuring out how they work, make it better, faster, I prefer choice. m$ doesn't like these types and choice is being removed, the proof is everywhere like the deprecation of the control panel in lieu of shitty kindergarten tiles and a mile long scroll bar with nonsensical vocabulary. Look at the newer versions of office, what a fuckin insult. And don't give me that horse shit that you can use powershell/group policy because things are being disappeared from there as well.

I still have a windows 10 partition for gaming and a few leftover programs, not a huge fan of Libre Office' UI. m$ has charmed game devs with DirectX but things are changing. nVidia, AMD, Steam are all concerned with the direction m$ is going, not to mention android, and they are making inroads to Linux and m$ is scared, you can tell by the way they're sidling up to Linux. If you can't take over a thing you try and control it.

It doesn't take a genius to understand m$ desire to dump everything you do into their cloud, observe your habits, figure out how to control the what and how of 'YOUR' Personal Computer usage because it's ONLY about $ for them. Those with eyes can see windows is becoming the facebook of operating systems and the lure is convenience, especially for the unwashed masses.
Click to expand...

I have concerns but, what you are saying is way overboard. Also, as far as loving an OS, only the Amiga and OS/2 Warp were the OSes I loved. Linux is nice and useful but I could not love it.
 
ManofGod said:
Not the same thing nor even close to the same thing. One is an actual functional part of the OS and cross platform infrastructure, one was stand alone and easily dismissed, although that being killed was not good.
Click to expand...

It's very much the same thing. Both are an attempt by MS to have a storefront they control 100%. MS failed badly with Games for Windows Live and I don't see anything different with the current Store. If anything the current store is even worse in how it's even more limited and limiting.

The moment MS finally decides "the Store" is an absolute failure and it's not worth throwing more money at it they'll drop it and everything included in it like a hot potato. You know, the exact same way they've always done this like Games for Windows Live. MS has a nice long track record of things like this and it's one of the big reasons the mobile division failed. People and companies didn't want to waste time, effort and money into creating apps for Windows Phone when it's likely it would be dropped by the wayside or MS made huge changes which basically invalidated all the previous work. Just like how MS had done this in the mobile segment multiple times before. It's the exact same with the store in Win10. People and companies are not flocking to it because they don't trust it. They know it's just a matter of time before the latest MS experiment is abandoned and they have better uses for their time, effort and money.

Deny all you want but MS's history speaks otherwise.
 
jardows said:
Hey, it's not like a Windows update ever bricked my laptop! I don't know what you mean by "hold Microsoft accountable." What do you want us to do? (I know your what your answer would be - switch to Linux, but that is hardly a solution). Microsoft discovered a security flaw in Windows, and fixed it. Happens all the time in all sorts of software. Sometimes it's a bigger flaw than others. Some people are complaining that the flaw should not have existed, I get that. Some people (post #4) are complaining that Microsoft fixed the flaw! I just don't understand the emotional need to pile on hatred towards a tool.
Click to expand...
You're leaving out the fact that a lot of these major issues are things that got reported to MS months or even years ago in places like the feedback hub - and simply ignored.

Not understanding the "outrage" is either being willfully or just unintentionally ignorant of what has been a pattern of behavior with MS for the entirety of Windows 10's existence. Without some backlash, without nolding MS accountable, they'd only feel more emboldened to continue their current course of untested updates and disregard for their customers.

"Hey man at least they eventually fixed it" to years of backdoor access to your entire drive for trojan UWP apps is not really good enough. There's an existential problem with how MS is handling Win10 that needs to be exposed and addressed. Sunlight will prove once again the best disinfectant.
 
DPI said:
You're leaving out the fact that a lot of these major issues are things that got reported to MS months or even years ago in places like the feedback hub - and simply ignored.
Click to expand...
Some issues aren't that simple to fix. Take Spectre and Meltdown - to fix those requires the processor to handle operations in a different way, lowering performance. How long did it take Intel to make a product that had an actual fix for the issue? Sure, processor design is not the same as OS design, but there can be trade-offs, and this was a case of trade-offs. Just have any sort of admin access available is a security hole, so how badly do we want to patch that one?

Not understanding the "outrage" is either being willfully or just unintentionally ignorant of what has been a pattern of behavior with MS for the entirety of Windows 10's existence. Without some backlash, without nolding MS accountable, they'd only feel more emboldened to continue their current course of untested updates and disregard for their customers.

"Hey man at least they eventually fixed it" to years of backdoor access to your entire drive for trojan UWP apps is not really good enough. There's an existential problem with how MS is handling Win10 that needs to be exposed and addressed. Sunlight will prove once again the best disinfectant.
Click to expand...

It's actually more like being fully aware of the pattern of behavior Microsoft has had for the entirety of Windows, and not getting myself worked up over something that has been a common case. If you weren't "outraged" at the security flaws of 3.1, 95, 98, ME, XP, Vista, 7, or 8, why should you be "outraged" at what is going on in 10? Don't tell me it's worse this time around, because I've been hearing that about every version of Windows once it's released. If you were "outraged" at the flaws and behavior patterns of Microsoft 30 years ago, 20 years ago, 10 years ago, why are you still ranting now, as if it will do anything different? Go use your OS that makes you happy and call it a day. With decades of the same behavior patterns, nothing is going to change at Microsoft without a complete corporate leadership change, and unless you own as many shares as Ballmer or Gates, that ain't gonna happen.
 
DPI said:
If the very next update just outright formatted your fucking drive you'd still have the same one or two guys defending it with something about "2-in-1's and inking" or "lol your fault if you dont have backup".
Click to expand...

Ok, what about ray tracing support for nVidia's RTX cards? You're in GPU threads defending nVidia. I go out and spend $2600 dollars on a pair of 2080 Tis plus the NVLink and you blast folks like me over defending Microsoft when all the hell I want to do is to be able to use $2600 worth of hardware to it's full capabilities.

We're three years into this. I never said Windows 10 was perfect and doesn't have issues. But yeah, I not throwing away $2600 on GPUs that aren't fully supported anywhere else. Some of you are being completely disengiouus about this and are just attacking people and not even bothering to think things through, evem over products that you yourself have defended.
 
ManofGod said:
LOL! My opinion this, my opinion that, I guess anyone that is in 3rd should just quit, eh? Essentially, these things you said are strictly your opinion and although you can have one, that does not make it right, except for you personally.

Jump through hoops? You mean purchase, download, run? Oh well...... Also, there are plenty of games in the Play Anywhere list with more to come. I have a steam account and plenty of games there but, tell me, where is the support phone number for Steam? I will wait.........
Click to expand...

You are, of course, free to believe whatever you wish, but the REALITY is that UWP is worthless in a world where MS only competes on the desktop. There is no mobile platform (other than Surface, which is full Windows 10), and their console business is dying. The few titles (like the subject of this article) that are available as UWP apps are really not worth playing in the 1st place, don't make up a huge number of sales, and are only defended by people who are emotionally attached to Microsoft. Everyone else is waiting on the day where we can ditch Windows and MS completely and move to another platform...one without the spyware bullshit.
 
jnemesh said:
Xbox is a joke, and a failure. It's being outsold 3:1 right now by it's competition and is in 3rd place behind the PS4 and Switch...3rd in a 3 man race. Considering the hoops you have to jump through to even get these games to RUN on a PC, and considering the vulnerabilities that using said software opens your system up to, why would anyone with half a brain even BOTHER with these few pathetic titles when there are literally THOUSANDS of other titles available that don't have the ludicrous restrictions placed on them by Microsoft?

Seriously, TRY and defend this crap! I DARE you!
Click to expand...

Given the tone and language of your post, it seems your mind is already made up. You don't actually want to have a discussion with anyone to the contrary. Ultimately it's your opinion as it is anyone's who disagrees with you.

I have an Xbox One and I play several 'Play Anywhere' titles on both the Xbox and my PC. Never had problems. Really nice to be able to go between the systems and have saves seamlessly work between both.
 
You must log in or register to reply here.
Back
Top