One vulnerability patched by Microsoft yesterday fixes an elevation of privilege issue in its Cortana voice assistant that can be exposed when used in a Windows 10 device.
Exploiting CVE-2018-8140 is not a simple task and requires physical access to the device, Cortana must be enabled and the device must be in screen lock mode. Cortana also needs to be asked a rather convoluted question to activate access, but if these parameters are met Cortana can retrieve data from user input services without consideration for status.
McAfee researchers, who originally disclosed the issue in April, noted the problem lies in Cortana's default settings with access taking place when the device is set with its screen locked and Cortana enabled.
“In Windows 10, on the most recent build at the time of submission, we observed that the default settings enable “Hey Cortana” from the lock screen, allowing anyone to interact with the voice-based assistant. This led to some interesting behavior and ultimately vulnerabilities allowing arbitrary code execution,” said Cedric Cochin, McAfee's cybersecurity architect and senior principle engineer, who is credited with finding the vulnerability.
The trick is to say, with the screen locked, “Hey Cortana” followed by the letters P A S, while at the same time creating a using a whitespace keyboard sequence with the keyboard.
This brings up a contextual menu on the locked Windows 10 screen. In McAfee's example files such as PASswords.txt or Zlib.pass were among the items that appeared.
“If the match is driven by filename matching, then you will be presented with the full path of the file. If the match is driven by the file content matching, then you may be presented with the content of the file itself,” Cochin wrote.Using this methodology an attacker can also write executable files to the device, like a backdoor. The malicious actor cannot directly execute them at that time, but if the person instead drops a Portable executable backdoor there is a pathway t