In this month’s Patch Tuesday event, Microsoft has released a cumulative update of KB4284819 to fix this issue, so users are recommended to complete the upgrade as soon as possible.
Source: Neowin
CVE-2018-8140: Cortana Critical Security Vulnerabilities
The CVE-2018-8140 vulnerability was initially submitted to Microsoft on April 23 and was subsequently fixed in June Patch Tuesday event. The vulnerability can use Cortana’s weakness to implement three different attacks, including retrieving confidential information, logging in to a locked device, and even executing code on the lock screen interface. McAfee’s security research experts discovered the vulnerability. Just entering “pas” allows Cortana to search for many files containing the beginning of a phrase.
Because Cortana relies on indexes for queries, the result is that you can access various password files, even match the title or file content, view the full path to the file location, and even the contents of the data. Besides, Cortana has a more severe privilege escalation vulnerability that allows Cortana to interact with the lock screen without having to consider the user’s state.
In addition to some sophisticated attacks, McAfee also shares a simple method to change login credentials on the lock screen:
- Trigger Cortana via “Tap and Say” or “Hey Cortana”
- Ask a question (this is more reliable) such as “What time is it?”
- Press the space bar, and the context menu appears
- Press esc, and the menu disappears
- Press the space bar again, and the contextual menu appears, but this time the search query is empty
- Start typing (you cannot use backspace). If you make a mistake, press esc and start again
- When done (carefully) typing your command, click on the entry in the Command category. (This category will appear only after the input is recognized as a command.)
- You can always right click and select “Run as Administrator” (but remember the user would have to log in to clear the UAC)
The flaw is fantastic, not only to change the password but also to execute a more powerful malicious PowerShell script without the need to log in the lock screen interface. The only requirement is the need for physical access to these systems and the activation of the digital voice assistant.
