Microsoft has quietly fixed a bug in the on-hold Windows 10 October 2018 Update that in earlier versions wasn't telling users when apps requested permission to access all a user's files.
The bug in the Windows 'broadFileSystemAccess' API could have given a malicious developer of Universal Windows Platform (UWP) apps access to all a user's documents, photos, downloads, and files stored in OneDrive.
The issue was spotted by .NET developer Sébastien Lachance who built an enterprise app that was suddenly broken in the Windows 10 October 2018 Update, aka 1809, the version currently on hold as Microsoft finalizes testing its fix for the data-loss bug.
Normally UWP apps are restricted to certain folder locations, but developers can request access to other locations too, so long as the app is granted permission by the user.
As noted in Microsoft's documentation, the broadFileSystemAccess API gives access to all files that a user has access to. Microsoft promoted the feature as a way for developers to make their UWP apps more user-friendly.
"This is a restricted capability. On first use, the system will prompt the user to allow access. Access is configurable in Settings > Privacy > File system," Microsoft explains.
"If you submit an app to the Store that declares this capability, you will need to supply additional descriptions of why your app needs this capability, and how it intends to use it. This capability works for APIs in the Windows.Storage namespace."
SEE: 10 ways to raise your users' cybersecurity IQ (free PDF)
The problem is that until version 1809, users weren't getting the permission prompt and the API could actually be used to access the full file system.
According to Lachance, the dialog is meant to be displayed to a user on the first use of the app, as per the documentation. Microsoft recognized this is a privacy issue and so set the broad access file system value to off.
If users are concerned that an app they've installed has gained wider access to files than preferred, users can limit that access in within Settings > Privacy > File.
Developers who previously used the API may also find their UWP apps now crash when users move to version 1809.
Previous and related coverage
Microsoft offers a workaround for a bug that causes the silent failure of copying from ZIP folders to regular folders.
A Feedback Hub user reported the latest Windows 10 October 2018 Update bug three months ago. Microsoft has fixed the issue in preview builds of the 19H1 version of Windows 10, so it should be fixed in 1809 soon.
Microsoft finds and fixes more glitches in Windows 10 October 2018 Update.
Intel accidentally pushed an incompatible audio driver to Windows 10 devices through Windows Update.
Admins struggle with the latest Windows 10 1809 patch on some HP systems.
Microsoft makes changes to its Feedback Hub after failing to notice early reports flagging up data losses caused by the Windows 10 October 2108 Update.
Only days after releasing its latest feature update to Windows 10, Microsoft abruptly stopped the rollout and pulled the new version from its download servers as it investigates "isolated reports" of a data-destroying bug. What should you do now?
No word yet from Microsoft about Windows 10 October 2018 Update deleting user files -- but it's a problem Windows Insiders have encountered before.
Back up files before upgrading to Windows 10 1809, and if you get a warning about Intel drivers, do not proceed.
Microsoft is starting to roll out the Windows 10 October 2018 Update today, starting with Insiders and those ready to proactively grab the new bits.
Windows 10 is getting a big update in its next release. Here are some of the enterprise-centered features to expect in the Windows 10 October 2018 Update.
Plus: Windows 10 October 2018 Update is now available.