Microsoft Fixes Cortana Lock Screen Bypass Flaw

MICROSOFT HAS PATCHED a flaw in its Cortana virtual assistant that could enable hackers to bypass the lock screen on Windows 10 machines. 

The fix included in Microsoft’s latest Patch Tuesday bug fix bundle, which comprises 12 updates intended to patch a total of 49 security vulnerabilities.

This includes fixes for flaws in Windows, Office, SharePoint, and the Internet Explorer and Edge web browsers, along with a patch for the so-called ‘elevation of privilege vulnerability’ in Microsoft’s AI helper.

Lane Thames, a senior security researcher at Tripwire, spoke out about the long-standing flaw with Cortana, that meant the AI helper was always listening for commands, even when a PC is locked.

“The advisory states that ‘Cortana retrieves data from user input services without consideration for status’,” said Thames.

“It is not immediately obvious what ‘status’ means, but it appears to be that Cortana is listening to commands even when the machine is locked… Google shows that this vulnerability (or a part of it) was identified months ago and was initially discussed in March 2018 at the Kaspersky SAS 2018 conference.

“This particular vulnerability is not highly critical, but it is interesting as it targets a growing and popular class of technology – intelligent digital personal assistants. We’ve already seen weaknesses recently in Alexa due to third-party application issues. More of these types of problems will start to appear, most likely, in the years to come.”

Microsoft has also pushed out a patch for  Spectre Variant 4 or ‘speculative store bypass’, a security flaw affecting PCs with Intel microprocessors. This will require some extra measures to fully fix, according to Microsoft guidance.

This security flaw could enable an attacker to bypass a user’s security via JavaScript code run in a browser.

“An attacker who has successfully exploits this vulnerability may be able to read privileged data across trust boundaries,” warns the Microsoft guidance.

“Vulnerable code patterns in the operating system (OS) or in applications could allow an attacker to exploit this vulnerability.

“In the case of Just-in-Time (JIT) compilers, such as JavaScript JIT employed by modern web browsers, it may be possible for an attacker to supply JavaScript that produces native code that could give rise to an instance of CVE-2018-3639.

“However, Microsoft Edge, Internet Explorer, and other major browsers have taken steps to increase the difficulty of successfully creating a side channel.”

The patches also cover flaws in the Windows DNSAPI that could, according to security firm Qualys, “enable an attacker to compromise a system through a malicious DNS server”, and a critical flaw in Microsoft’s HTTP.sys kernel-mode protocol listener used by the IIS web server and various services in Windows. µ