Researchers have revealed how Microsoft’s Cortana could be used to bypass the security protection of Windows 10.
Speaking at Black Hat in Las Vegas this week, security researchers Amichai Shulman and Tal Be’ery from Kzen Networks, alongside the Israel Institute of Technology’s Ron Marcovich and Yuval Ron, said a vulnerability existed in the voice assistant which allowed the bypass of the Windows 10 lock screen.
As reported by Threat Post, the vulnerability, dubbed “Open Sesame,” opens the door, bypassing the lock screen, and allows threat actors to locally perform “dangerous functions.”
The bug, CVE-2018-8140, lay within Cortana’s default settings. Described as a “Cortana Elevation of Privilege Vulnerability,” the vulnerability impacts Windows 10 machines and Windows 10 Servers.
As the Windows 10 lock screen disables the keyboard, users are able to utilize their voice to issue a limited range of vocal commands. However, once Cortana is woken up, the keyboard is no longer restricted.
This allowed the research team to launch local commands without the need for authentication or user validation.
As a result, attackers are able to retrieve data from user input services — including sensitive text and media content — browse arbitrary websites, download and execute files from the Internet, and in some circumstances, elevate privileges.
As the attack circumvented the need to login to the system and no external code was required, the researchers said that antivirus software solutions were blind to the activity, according to the publication.
The team noted that the lock screen is far from impenetrable; rather, it acts as another “desktop” with limited access.
As more apps are added to the voice assistant in tandem with the lock screen, the potential attack surface increases.
“In the past, the operating system made sure the UI is not accessible when the computer is locked, therefore developers do not need to think about it,” the researchers said. “Now, it’s the developers’ responsibility.”
The vulnerability was reported to Microsoft on April 16 and the company issued a remedial patch on June 12. McAfee researchers also notified Microsoft of the same security flaw.
In the same month, the Redmond giant resolved 50 security flaws in the Patch Tuesday update, including a black screen problem, an Adobe Flash Player security flaw which was being exploited in the wild, and a set of remote code execution bugs.