Microsoft has fixed a vulnerability in the Cortana Smart Assistant that could have allowed an attacker with access to a locked computer to use the Smart Assistant and access data on the device, run malicious code, or even change the password on the PC to access the device in its entirety.
The problem was discovered by Cedric Cochin, Cyber Security Architect and Senior Principal Engineer at McAfee. Cochin privately reported the problems he discovered to Microsoft in April.
The vulnerability is CVE-2018-8140, which Microsoft classified as a privilege upgrade, and patched yesterday during the company’s monthly security patch updates.
Cochin says the problem was present because of different peculiarities in the way Cortana allows users to interact with the underlying Windows 10 operating system while they are locked.
The researchers discovered several features that could be combined in a larger attack:
- Users can start typing after saying “Hey Cortana” and issuing a voice command. This opens a special search pop-up window with several features and capabilities.
- Users can type text in this pop-up window, which looks for the index of the laptop application and its file system. When you type certain words, such as “pas” (such as a password), this search can show files that contain this string in their file paths or within the file itself. Hovering over one of these search results can reveal the location of the file on the disk, or the contents of the file itself (big problem if the reported detail is a password).
- Users can access the menu with the right button after using the same trick of starting typing after activating Cortana. These menus include several confidential options, such as “Open file location”, “Copy full path”, “Run as administrator” or, more dangerously, “Run with PowerShell”.
- Using the same trick of starting typing after issuing a Cortana voice command, attackers can execute files or execute PowerShell commands.
Combining all these problems into one attack, Cochin says that a hacker with access to a locked computer can carry out the next attack:
- The attacker connects a USB stick containing a malicious PowerShell script. Windows will alert the user of this new drive by displaying the USB drive letter as a small notification in the lower screen area. This allows the attacker to know the exact path to the file of your malicious script.
- The attacker issues a Cortana voice command but starts typing on the keyboard to interrupt the execution of the voice command. This opens a special Cortana search pop-up window.
- The attacker executes a PowerShell command with CLI arguments to run the malicious PowerShell script on the USB drive.
- The malicious PowerShell script runs, even though the computer is locked. The attacker can use PowerShell to reset the password, disable the security software, execute daisy chain commands, or whatever else he wants.
Cochin published detailed information on how the CVE-2018-8140 affects recent versions of Windows 10, along with the following video, which shows how he hijacked a computer by changing the password of a blocked account using Cortana.
Users are advised to upgrade to the latest version of Windows or disable Cortana on the lock screen.