Microsoft Fixes a Major Cortana Vulnerability

Posted on June 13, 2018 by Paul Thurrott in Windows 10 with 13 Comments

Windows 10 Tip: Read, Reply To, and Send Text Notifications Via Your Android Handset

Security researchers from McAfee discovered a major vulnerability in Cortana in Windows 10. Fortunately, Microsoft just fixed it.

(See, Google? This is how you can work with platform makers when you discover vulnerabilities.)

“June’s ‘Patch Tuesday’ is here, but it is likely many Windows 10 users have not yet applied these updates,” McAfee notes in a blog post describing the vulnerability. “If you have not, just be sure not to leave your laptop lying around.”

According to McAfee, previous to this week’s patch, hackers could use “Hey, Cortana” to wake sleeping or locked Windows 10 PCs and arbitrarily run code that could exploit the system. It then documented several ways in which this could happen. The results could include resetting the user’s password and taking over the PC and the user’s account.

“The easiest mitigation technique, in the absence of patching the device (which we strongly recommend), is to turn off Cortana on the lock screen,” McAfee adds. “This week’s Patch Tuesday from Microsoft contains fixes for these issues under CVE-2018-8140.”

“An Elevation of Privilege vulnerability exists when Cortana retrieves data from user input services without consideration for status,” the Microsoft patch description notes. “An attacker who successfully exploited the vulnerability could execute commands with elevated permissions.”


Tagged with

Elevate the Conversation!

Join Thurrott Premium to enjoy our Premium comments.

Premium member comments on news posts will feature an elevated status that increases their visibility. This tab would allow you to participate in Premium comments with other premium members. Register to join the other Premium members in elevating the conversation!

Register or Subscribe

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate