Microsoft patched the bug with June 2018 updates

Aug 10, 2018 08:11 GMT  ·  By

Microsoft is continuously working on making Windows 10 more secure, and while the company has indeed managed to make the operating system more difficult to break into, bugs in certain features make hackers’ lives significantly easier.

A vulnerability called Open Sesame allows hackers to execute arbitrary code on a Windows 10 computer using just their voice.

The bug exists in digital assistant Cortana, and a team of researchers revealed at the Black Hat conference in Las Vegas that anyone could get rights to access sensitive files, connect to malicious websites, download and run infected files, and even gain elevated privileges on a locked computer.

It’s all possible due to the fact that the UI on Windows 10 now allows apps to run in the background, and while the computer is locked for mouse and keyboard use, Cortana can still perform a series of tasks.

Security researchers Amichai Shulman, Tal Be’ery of Kzen Networks, and Ron Marcovich and Yuval Ron of the Israel Institute of Technology discovered the flaw and reported it to Microsoft back in April, according to a report from ThreatPost.

Issue already patched

The bug is documented in CVE-2018-8140 and Microsoft explains that no exploit has been discovered in the wild. It was assigned an Important security rating.

“An Elevation of Privilege vulnerability exists when Cortana retrieves data from user input services without consideration for status. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions. To exploit the vulnerability, an attacker would require physical/console access and the system would need to have Cortana assistance enabled,” Microsoft explains.

“The security update addresses the vulnerability by ensuring Cortana considers status when retrieves information from input services.”

The flaw exists in Windows 10 Fall Creators Update (version 1709) and April 2018 Update (version 1803) and newer and installing the most recent update keeps systems protected.