Microsoft’s Cortana voice assistant briefly contained a vulnerability that could have been exploited by hackers to access a locked Windows 10 machine. In its June Patch Tuesday update, Microsoft fixed 11 critical flaws in Windows 10, including the Cortana vulnerability discovered by McAfee researchers.
Researchers discovered that the vulnerability - CVE-2018-8140 - could be exploited by activating Cortana on a Windows 10 machine and tricking it to open up a contextual menu that could be used for remote code execution. To execute the attack, Cortana must be enabled and the device in screen lock mode with the attacker having physical access to the device.
Although Cortana needs to be asked complex questions to activate access, it could expose sensitive data from user input services without considering user status. Users can directly say “Hey Cortana” and start typing and issue a voice command to bring up a search pop up with various features and capabilities.
“In Windows 10, on the most recent build at the time of submission, we observed that the default settings enable ‘Hey Cortana’ from the lock screen, allowing anyone to interact with the voice-based assistant,” McAfee's cybersecurity architect and senior principle engineer Cedric Cochin said. “This led to some interesting behavior and ultimately vulnerabilities allowing arbitrary code execution.”
To exploit the vulnerability with the screen lock, one simply needs to say “Hey Cortana” followed by the letters P A S.
“This will come as a surprise and lies at the core of all the issues we found, but simply typing while Cortana starts to listen to a query on a locked device will bring up a Windows contextual menu,” researchers said. Some files like PASswords.txt or Zlib.pass, in McAfee’s example, popped up.
“If the match is driven by filename matching, then you will be presented with the full path of the file. If the match is driven by the file content matching, then you may be presented with the content of the file itself,” Cochin wrote.
Cochin privately disclosed the vulnerability to Microsoft in April, noting that the problem lies with Cortana’s default Windows 10 settings. They have also released a proof-of-point report demonstrating a range of attack vectors that could have been used to exploit the vulnerability using simple voice commands. For example, an attacker can search for keywords such as “OneDrive”, execute arbitrary code from the lock screen using Cortana’s contextual menu, or carry out a complete password reset procedure and then log in to Windows 10.
This method could also be used to write executable files such as a backdoor to the device itself.
Microsoft has already fixed the exploit on Tuesday, June 13.