Microsoft Fixes a Major Cortana Vulnerability

Windows 10 Tip: Read, Reply To, and Send Text Notifications Via Your Android Handset

Security researchers from McAfee discovered a major vulnerability in Cortana in Windows 10. Fortunately, Microsoft just fixed it.

(See, Google? This is how you can work with platform makers when you discover vulnerabilities.)

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

“June’s ‘Patch Tuesday’ is here, but it is likely many Windows 10 users have not yet applied these updates,” McAfee notes in a blog post describing the vulnerability. “If you have not, just be sure not to leave your laptop lying around.”

According to McAfee, previous to this week’s patch, hackers could use “Hey, Cortana” to wake sleeping or locked Windows 10 PCs and arbitrarily run code that could exploit the system. It then documented several ways in which this could happen. The results could include resetting the user’s password and taking over the PC and the user’s account.

“The easiest mitigation technique, in the absence of patching the device (which we strongly recommend), is to turn off Cortana on the lock screen,” McAfee adds. “This week’s Patch Tuesday from Microsoft contains fixes for these issues under CVE-2018-8140.”

“An Elevation of Privilege vulnerability exists when Cortana retrieves data from user input services without consideration for status,” the Microsoft patch description notes. “An attacker who successfully exploited the vulnerability could execute commands with elevated permissions.”

 

Tagged with

Share post

Please check our Community Guidelines before commenting

Conversation 14 comments

  • RM

    13 June, 2018 - 3:02 pm

    <p>"<span style="color: rgb(0, 0, 0); background-color: transparent;">(See, Google? This is how you can work </span><em style="color: rgb(0, 0, 0); background-color: transparent;">with</em><span style="color: rgb(0, 0, 0); background-color: transparent;"> platform makers when you discover vulnerabilities.)" </span>Google doesn't know what you are talking about, there whole purpose with being evil is to weaken Microsoft's products at the cost of everyone. ;)</p>

  • bbold

    13 June, 2018 - 5:24 pm

    <p>Good to know! </p><p><br></p><p>I have a question.. If McAfee (and other Antivirus programs) are truly 'bad' for our PC's (according to most techs I know, including Leo LaPorte), then how is it that a company like McAfee (who reportedly is slow to respond to sudden attacks, security issues and malware incidents) able to find this issue before Microsoft, who apparently has Windows Defender which is 'just as good' as McAfee or any of the other AV programs? Makes me wonder if we should be switching to a third party AV or just stick with Windows Defender.. Any thoughts?</p>

    • lvthunder

      Premium Member
      13 June, 2018 - 6:47 pm

      <blockquote><a href="#283897"><em>In reply to bbold:</em></a></blockquote><p>Just because you have a good researcher or two doesn't mean your software is any good. Leo doesn't recommend these anti viruses because of how badly it messes up your machine.</p>

    • jean

      14 June, 2018 - 2:42 am

      <blockquote><a href="#283897"><em>In reply to bbold:</em></a></blockquote><blockquote><em>to be honest: that is a question likely to be raised by a 4 year old – think again</em></blockquote><p><br></p>

  • Bats

    13 June, 2018 - 7:08 pm

    <p>No word on the fix for Cortana's other vulnerability? It's useless-ness?</p>

    • Tony Barrett

      14 June, 2018 - 7:27 am

      <blockquote><a href="#283917"><em>In reply to Bats:</em></a></blockquote><p>Well, at least there won't be many affected by this Cortana vulnerability then!</p>

  • Winner

    13 June, 2018 - 11:31 pm

    <p>…but I thought Windows 10 was more secure than Windows 7 and 8?</p><p>Those versions don't have the Cortana vulnerability.</p>

    • JCerna

      Premium Member
      14 June, 2018 - 1:09 am

      <blockquote><a href="#283971"><em>In reply to Winner:</em></a></blockquote><p>So this type of vulnerability requires physical access to the machine. In windows and Mac OS you can boot using a flash drive on almost any machine and then use simple commands to "hack" an account and do what ever you want. Heck you could install software, viruses, what ever. </p><p><br></p><p>Windows 10 is more secure than 7 that is a fact. You should never leave your device were others can access it locally, because at that point security is basically gone. </p>

      • Winner

        14 June, 2018 - 3:20 am

        <blockquote><a href="#283976"><em>In reply to JCerna:</em></a></blockquote><p>You can't really say Windows 10 is more secure. That takes years of experience. There have been vulnerabilities that are unique to Win 10 but not 7 or 8. Windows 10 may have more <strong>security features</strong> than earlier versions, but that is not the same as actual security. New features actually introduce vulnerabilities, and only with the benefit of 5-10 year hindsight can you really say which versions were better. Which is why it was ridiculous that, upon the release of Windows 10, it was claimed to be "the most secure Windows ever".</p>

      • Tony Barrett

        14 June, 2018 - 7:26 am

        <blockquote><a href="#283976"><em>In reply to JCerna:</em></a></blockquote><p>Windows 10 may be designed to be more secure, and I don't doubt that, but the majority of those monthly security fixes for Win7 and 8 are also applicable to Win10 – and Win10 has a much bigger attack surface with all those extra features!</p><p>Win10 is just Windows underneath, built on the same monolithic kernel, so while MS seek to secure it from the outside world, internally, it's just as vulnerable.</p>

  • madthinus

    Premium Member
    14 June, 2018 - 7:16 am

    <p>Great, so they can just sweet talk their way into my computer…</p>

  • PeteB

    14 June, 2018 - 1:25 pm

    <p>Thank god I just delete cortana from the install ISO with MSGS Toolkit so it can't even take root. #prevention</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC