Windows 10 and the OneDrive vulnerabilities – Part 1

[German]This article is about the OneDrive client that Microsoft delivers with Windows 10. The way, how Microsoft’s developers has implemented this client, leaves several vulnerabilities. Here are a few details about an investigation.


Advertising


In the beginning was the word…

Microsoft provides a OneDrive client in Windows 10. According to Microsoft’s marketing, OneDrive should be used everywhere to save data on the cloud service of the same name. But how save is the client’s implementation? Also under the view, that ‘Windows 10 is the most secure Windows ever developed’ (not my words, it’s Microsoft’s saying).

After reading this article (I am planning a separate blog post about that topic), the idea for a blog post ‘investigating OneDrive client under the hood’ came up. Because I had some fragments of information about OneDrive and security issues found from Stefan Kanthak, who deals a lot with security issues. Stefan Kanthak has put me on cc to a mail, that says:

>A friend of mine has disabled OneDrive on Windows 10 because she didn’t want to use the service anymore.

Stefan Kanthak asked within this e-mail: Why did she even activate this junk? – and then he shot a volley of statements about the OneDrive client and its vulnerabilities to the poor recipient of the e-mail.

Note: Microsoft offers also an OneDrive for Business client within Office 365, which is in fact a different client. I haven’t examined this client. But at least the suspicion is obvious that it doesn’t look any different there.

Dude, don’t read the fucking “Designed for Windows” rules

I had already mentioned it in one or two of my German blog posts: When I look at the Windows development from Windows 8 onward, I’m missing the design basics that Microsoft once published in the early days of Windows 95 (I’ve translated the German edition of the Microsoft Press title Programming the Windows 95 User Interface (Microsoft programming series).

But there are many other documents that Microsoft once published for software developers. Even though I have since 25 years been out of software development, I found these guidelines very useful. However, this knowledge seems to have either been lost in Redmond, or has been outsourced to the company museum, or no longer fit into today’s development processes. Stefan Kanthak describes it a little more directly:


Advertising

These Id***, who created this junk [the OneDrive client under Windows], ignore the MINIMAL specifications of the 23-year-old “Designed for Windows” guidelines.

They don’t install this Crapp under %ProgramFiles%, where it is safe from write access by users, but in the user profile of ANY user.

That was something I had already noticed, but I couldn’t make sense of it. In fact, the OneDrive client can be found (with all files) in each user profile under

C:\Users\%USERNAME%\AppData\Local\Microsoft\OneDrive

OneDrive-Dateien
(Click to zoom)

It is indeed the case that a user (but also malware) has write access to this folder, i.e. can manipulate the OneDrive files at will. This approach has been frowned upon for 23 years according to the “Designed for Windows” guidelines. But the developers  in Redmond probably don’t read such old things anymore – and the old experienced developers have been gone long ago. Another possible explanation can be found in Part 3 of the article series – then Microsoft would make bad compromises and as a Windows user one should draw his conclusions.

Unfortunately, the today’s story goes even further, and by no means more positive. Microsoft developers have made further mistakes, such as using outdated open source libraries which contains well known vulnerabilities. But this is part of part 2 of this article series.

Articles:
Windows 10 and the OneDrive vulnerabilities – Part 1
Windows 10 and the OneDrive vulnerabilities – Part 2
Windows 10 and the OneDrive vulnerabilities – Part 3

Similar articles
Security-Risk: Avoid 7-Zip
7-Zip vulnerable – update to version 18.01


Advertising


This entry was posted in Security, Software, Windows and tagged , , . Bookmark the permalink.

One Response to Windows 10 and the OneDrive vulnerabilities – Part 1

  1. Crysta T Lacey says:

    I thought I would just mention, that both Google and Microsoft have made some very radical changes to each of there offerings to the point I won’t have them anywhere near my Data Disk under Windows. I just plain don’t trust them or their Engineers/Developers next iterations. Their Apps are both uninstalled.

    Therefore I went with a buffer that maintains constant access and would be easy to use with Total Commander by Christian GHISLER to maintain my own Tower Disk Copies as well as to update OneDrive and GDrive. That solution was Synology DSN on my NAS Paddock and one of their Apps that does both equally well. This provides the buffer I need against the foolishness(IMHO).

    Total Commander provides and Sychable Comparison that I run ever so often for me off of my Server Paddock(as opposed to a whole Farm). The Synology Apps have a short time frame two way(GDrive) and one way(OneDrive) synching. Onedrive is strictly Backup, where GDrive is a bit more dynamic.

Leave a Reply

Your email address will not be published. Required fields are marked *