The flaw can be exploited via digital assistant Cortana

Jun 13, 2018 09:12 GMT  ·  By

A vulnerability in Windows 10 allows attackers to easily hijack a computer even when locked, all by simply relying on digital assistant Cortana to execute the necessary commands.

An in-depth analysis of the vulnerability published by McAfee reveals that the “Hey, Cortana!” voice command, which is enabled by default in Windows 10 and can be triggered even from the lock screen when the device is locked, provides potential attackers with rights to see file info, content, and even allow arbitrary code execution.

McAfee’s research shows that it’s possible to launch a Windows contextual menu by simply typing when Cortana starts to listen to a query on a locked device, and this is the first step towards a successful attack.

“All the results presented by Cortana come from indexed files and applications, and that for some applications the content of the file is also indexed. Now we can simply hover over any of the relevant matches. If the match is driven by filename matching, then you will be presented with the full path of the file. If the match is driven by the file content matching, then you may be presented with the content of the file itself,” McAfee explains.

Patch already available

Once the location of file and possibly the content is accessible, hackers can continue their attack and obtain code execution rights from the Windows lock screen.

Triggering this behavior allows malicious actors to open scripts on a locked device, including PowerShell, which makes it possible to run certain commands without the need for parameters. For example, McAfee says that it’s possible to remove software from a target system.

The analysis goes into detail on how to log into a locked Windows 10 device with no user interaction, again relying on Cortana to further advance the exploit. The steps to do this are the following (as provided by McAfee):  

Trigger Cortana via “Tap and Say” or “Hey Cortana”
Ask a question (this is more reliable) such as “What time is it?”
Press the space bar, and the context menu appears
Press esc, and the menu disappears
Press the space bar again, and the contextual menu appears, but this time the search query is empty
Start typing (you cannot use backspace). If you make a mistake, press esc and start again.
When done (carefully) typing your command, click on the entry in the Command category. (This category will appear only after the input is recognized as a command.)
You can always right click and select “Run as Administrator” (but remember the user would have to log in to clear the UAC)
Microsoft has already patched this vulnerability as part of this month’s Patch Tuesday rollout, but on systems where the latest updates haven’t been deployed just yet, it’s recommended turning off Cortana.