Security researchers from McAfee discovered a major vulnerability in Cortana in Windows 10. Fortunately, Microsoft just fixed it.
(See, Google? This is how you can work with platform makers when you discover vulnerabilities.)
“June’s ‘Patch Tuesday’ is here, but it is likely many Windows 10 users have not yet applied these updates,” McAfee notes in a blog post describing the vulnerability. “If you have not, just be sure not to leave your laptop lying around.”
According to McAfee, previous to this week’s patch, hackers could use “Hey, Cortana” to wake sleeping or locked Windows 10 PCs and arbitrarily run code that could exploit the system. It then documented several ways in which this could happen. The results could include resetting the user’s password and taking over the PC and the user’s account.
“The easiest mitigation technique, in the absence of patching the device (which we strongly recommend), is to turn off Cortana on the lock screen,” McAfee adds. “This week’s Patch Tuesday from Microsoft contains fixes for these issues under CVE-2018-8140.”
“An Elevation of Privilege vulnerability exists when Cortana retrieves data from user input services without consideration for status,” the Microsoft patch description notes. “An attacker who successfully exploited the vulnerability could execute commands with elevated permissions.”
Tagged with Cortana