Cortana in Windows 10
Image Courtesy: Arstechnica.com

Microsoft has improved the search feature in Windows 10 with Cortana digital assistant, and it’s now easier to find the information that you’re looking for straight from Cortana with simple voice command. Microsoft earlier this month at Insider Dev Tour in London revealed that more than 150 million people use Cortana across 13 countries.

On the other hand, the talented security researchers at McAfee discovered a code execution vulnerability in the operating system using Microsoft’s digital assistant, Cortana.

McAfee Labs Advanced Threat Research team in a blog post announced the discovery of a code execution vulnerability on Windows 10. The researchers have used default settings for Windows 10 and Cortana to “break” into a locked Windows 10 device.

It’s worth noting that McAfee Labs Advanced Threat Research team submitted the vulnerability details to Microsoft On April 23, and the latest June 2018 patch for Windows 10 includes the fixes for the disclosed vulnerability.

“The vulnerability was submitted to Microsoft as part of the McAfee Labs Advanced Threat Research team’s responsible disclosure policy, on April 23. Attribution for this vulnerability submission goes to Cedric Cochin, Cyber Security Architect and Senior Principle Engineer,” McAfee’s security researchers Cedric Cochin and Steve Povolny said in a blog post.

This week’s Patch Tuesday from Microsoft contains fixes for these issues under CVE-2018-8140. Microsoft explains that the attacker would require physical access to a Cortana-enabled system to exploit the vulnerability. The attacker who successfully exploited the vulnerability could execute commands with elevated permissions.

“An Elevation of Privilege vulnerability exists when Cortana retrieves data from user input services without consideration for status,” Microsoft explains. “The security update addresses the vulnerability by ensuring Cortana considers status when retrieves information from input services.”

Cortana security issues
Image Courtesy: McAfee.com

McAfee Labs Advanced Threat Research team discovered three attack vectors. The locked screen could be bypassed by using a voice command in Cortana.

An attacker could search for confidential information and files, locate and sensitive information (it depends on the app and restrictions), and execute arbitrary code from the lock screen using Cortana, the security firm explains.

McAfee advises users to install the latest security patch on Windows 10 to ensure a safe and secure experience.

Disclaimer: The information contained in this article is based on a report from McAfee Labs Advanced Threat Research team. Windows Latest makes no claims, guarantees about the accuracy or completeness in this article, and shall not be held responsible for anything we say in this article.