Microsoft’s ‘smart’ Cortana assistant looked pretty dumb this week after allowing security researchers to access, and exploit, a locked device
Users who hadn’t disabled Cortana assistance at the lock screen were at risk from any knowledgeable attacker with physical access to the machine. CVE-2018-8140, the Cortana Elevation of Privilege Vulnerability Security Vulnerability, has been fixed in the latest Microsoft security update by ensuring Cortana considers status when retrieving information from input services.
Researchers at McAfee who disclosed the vulnerability to Microsoft, discovered that simply typing while Cortana starts to listen to a voice query on a locked device brings up a Windows contextual menu. “We now have a contextual menu, displayed on a locked Windows 10 device” the researchers reveal in the technical tear down “what could go wrong?” Quite a lot, actually.