14 DAY TRIAL // If for some reason you’re still running Windows 10 Mobile, maybe this new security vulnerability convinces you it’s time to move on.
A security flaw discovered in Windows 10 Mobile allows a malicious actor to access your photo gallery from the lock screen without even unlocking the device.
Microsoft has already acknowledged the issue, but what’s worse is that the company won’t roll out a patch, leaving it unfixed.
The good part is that a successful attack technically requires an attacker to have physical access to the device and Cortana must be enabled to work on the lock screen. Otherwise, an exploit can’t work.
“A security feature bypass vulnerability exists in Windows 10 Mobile when Cortana allows a user to access files and folders through the locked screen. An attacker who successfully exploited this vulnerability could access the photo library of an affected phone and modify or delete photos without authenticating to the system,” Microsoft explains in CVE-2019-1314.
“Microsoft is not planning on fixing this vulnerability in Windows 10 Mobile. Microsoft recommends implementing the workaround to restrict access to Cortana.”
No attacks so far
The vulnerability is flagged with an “important” severity rating, and Microsoft says it wasn’t publicly disclosed and it’s not aware of any exploits out in the wild. Furthermore, given physical access is required to the device, exploitation is less likely, the company notes.
So what are your options now that Microsoft doesn’t want to release a fix for this issue?
Of course, you can use Microsoft’s workaround and disable Cortana either completely or on the lock screen, which obviously means losing one of the key features of Windows 10 Mobile in the first place.
Or you can simply move to Android or iOS, the platforms that Microsoft is super-committed to, as Windows 10 Mobile will be losing full support in December anyway.
UPDATE: Security research Yuval Ron, who discovered the flaw and reported it to Microsoft, published a demo on YouTube (embedded below). In a statement for Softpedia, he explains that Microsoft's decision not to patch the flaw is probably based on the reduced number of users still on Windows 10 Mobile.
"Microsoft’s decision not to fix this vulnerability is mainly because of the limited number of users. However, it is still surprising since they should support Windows 10 Mobile until December. The best recommendation is to disable Cortana on Lock screen," he said.
