Microsoft has stopped developing Windows 10 Mobile operating system, meaning users no longer receive important updates but security updates are still delivered on every Patch Tuesday.
Windows 10 Mobile is still around, but the company is not adding any new features or making significant changes to the OS.
If you still hang around with a Windows Phone handset, a new vulnerability has been discovered that could allow an attacker to access your files and folders through the locked screen. Windows Phone market share dropped below 1% a few years ago, but there are still some holdouts using the platform and the vulnerability affects them.
The vulnerability has been reported by Yuval Ron, Amichai Shulman, and Eli Biham from Israel, and it has been acknowledged by Microsoft on its security platform.
According to the documentation, this vulnerability will allow the attacker to access the photo library and as well as modify or delete photos without establishing authentication to the system.
Fortunately, the vulnerability requires physical contact with the phone and Cortana assistance needs to be allowed on the lock screen. In other words, the vulnerability is not a big deal unless we’re talking about the victims of theft.
Microsoft says it will not address this vulnerability in Windows 10 Mobile but you can follow the following workaround to secure your handset:
- Open Cortana app.
- Tap on three horizontal bars to access the menu.
- Click Settings and turn off the lock screen access to Cortana when the device is locked.
“We reported this issue to Microsoft in December 2018, a year before the operating system’s end-of-life. After nine months of evaluations and analysis, they decided not to patch the vulnerability because of the “limited users of Windows 10 Mobile, the physical access requirement to reproduce this issue, and the difficulty in steps to reproduce,” the researchers said.
Researcher Yuval Ron has also published a video to demonstrate the vulnerability.
Windows 10 Mobile support ends on December 10, but it appears that the firm may not address any such complex vulnerabilities for apparent reasons.