Security Vulnerability
Published: 10/08/2019
MITRE CVE-2019-1314
A security feature bypass vulnerability exists in Windows 10 Mobile when Cortana allows a user to access files and folders through the locked screen. An attacker who successfully exploited this vulnerability could access the photo library of an affected phone and modify or delete photos without authenticating to the system.
To exploit the vulnerability, an attacker would require physical access and the phone would need to have Cortana assistance allowed from the lock screen.
Exploitability Assessment
The following table provides an exploitability assessment for this vulnerability at the time of original publication.
| Publicly Disclosed |
Exploited |
Latest Software Release |
Older Software Release |
Denial of Service |
|---|
| No |
No |
2 - Exploitation Less Likely |
2 - Exploitation Less Likely |
Not Applicable |
To determine the support life cycle for your software version or edition, see the
Microsoft Support Lifecycle.
| Product |
Platform |
Article |
Download |
Impact |
Severity |
Supersedence |
|---|
| Windows 10 Mobile |
|
|
|
Security Feature Bypass |
Important |
|
Microsoft has not identified any
mitigating factors for this vulnerability.
Workarounds
The following
workaround can protect users from this vulnerability by disabling access to Cortana on the phone lock screen. This can be accomplished by following these steps:
- Open the Cortana app from the applications screen.
- Tap on the Menu button (3 horizontal bars) in the top left of the Cortana app.
- Tap on Settings option.
- Set the slider for the Lock Screen option to Off to prevent access to Cortana when the device is locked.
FAQ
Where do I find the update for Windows 10 Mobile?
Microsoft is not planning on fixing this vulnerability in Windows 10 Mobile. Microsoft recommends implementing the workaround to restrict access to Cortana.
Acknowledgements
Yuval Ron,
Amichai Shulman, and
Eli Biham of
Technion - Israel Institue of Technology
See
acknowledgements for more information.
Disclaimer
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
| Version |
Date |
Description |
|---|
| 1.0 |
10/08/2019 |
Information published. |
