Digital assistants have become a part of everyday life for many people and are supposed to make interactions with technology easier and seamless. Unfortunately, they can also be used against us in some situations. Underscoring this point, McAfee discovered a vulnerability in Cortana that could allow an attacker to snoop file names, execute malicious code, and even break into a locked Windows 10 PC. Fortunately, there is a patch available.
McAfee wrote about the exploit in a lengthy blog post, describing how one of Cortana's features can be used against it. Microsoft is always making improvements to Cortana, and the latest version allows users to search for files and other content with voice commands, even from the lock screen. It's a convenience, but also a potential security threat.
"If you have spoken with Cortana, you may have noticed that “she” is very helpful for a number of simple tasks: providing definitions, or looking up corporations, movies, artists, or athletes. She can even do math! In Windows 10, on the most recent build at the time of submission, we observed that the default settings enable 'Hey Cortana' from the lock screen, allowing anyone to interact with the voice-based assistant. This led to some interesting behavior and ultimately vulnerabilities allowing arbitrary code execution," McAfee explains.
The blog went on to detail various ways to exploit this feature, such as executing a malicious payload from a USB flash drive. That particular one is the most severe, as it allows an attacker to change the login credentials of a locked Windows 10 PC, thereby gaining full access the system and all of its contents. Obviously that is concerning.
Microsoft agreed, and after being alerted to the issue on April 23, it included a fix in yesterday's Patch Tuesday roll out. Of note is CVE-2018-8140, described as a Cortana Elevation of Privilege Vulnerability.
"An Elevation of Privilege vulnerability exists when Cortana retrieves data from user input services without consideration for status. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions. To exploit the vulnerability, an attacker would require physical/console access and the system would need to have Cortana assistance enabled. The security update addresses the vulnerability by ensuring Cortana considers status when retrieves information from input services," Microsoft says.
It's not clear if anyone in the wild has actually exploited Cortana in such a manner. As Microsoft notes, an attacker would need to have physical access to a PC, so it's limited in scope. Nevertheless, this is something that every Windows 10 user should mitigate. One way is to disable Cortana altogether, and the other is to apply the latest Patch Tuesday update, the latter of which is recommended regardless.