Microsoft patched a vulnerability that allowed someone to use Cortana, the company’s voice assistant, to gain access to a locked PC. McAfee said it discovered the problem earlier this year and revealed it to Microsoft on April 23; the fix arrived with the “Patch Tuesday” release from June 12.
Cortana is essentially Microsoft’s answer to Apple’s Siri, Amazon’s Alexa, and the Google Now assistants that ship with many new products. (Alexa, in particular, has branched out from the Echo speakers to laptops, set-top boxes, and television sets, despite the assistant’s recent privacy troubles.) You can use Cortana to search your PC, find information via the web, and handle basic tasks like checking the weather.
It turns out that attackers could also use Cortana to gain access to your PC. McAfee said it discovered earlier this year that Microsoft’s voice assistant, which recently expanded to the Windows 10 lock screen, had a code execution vulnerability that was given the CVE-2018-8140 identifier. Attackers could exploit this vulnerability to access personal data, execute code, and even reset passwords right from the lock screen.
Microsoft has already fixed this vulnerability, and even if you haven’t installed the patch, you can prevent Cortana from giving people access to your locked PC by disabling the assistant on the lock screen. Note that you must either download the Patch Tuesday release or manually disable Cortana on the lock screen; McAfee said that it was able to exploit this vulnerability on otherwise up-to-date versions of Windows 10.
The actual impact of this vulnerability was probably small. It only works if someone has physical access to a device, relied on precise commands, and required careful timing in regards to Cortana queries and button presses. The odds that someone exploited this vulnerability to access your PC are low. That doesn’t mean this problem isn’t worrisome, however, especially as voice assistants like Cortana become increasingly popular.
McAfee said in its blog post:
“The McAfee Advanced Threat Research team has a fundamental goal of eliminating critical threats to the hardware and software we use; this month’s patch is a clear step toward furthering that goal. The attack surface created by vocal commands and personal digital assistants requires much more investigation; we are just scratching the surface of the amount of research that should be conducted in this critical area.”
The patch that fixes this vulnerability should have been automatically installed on your Windows 10 device. If you want to make sure it was downloaded, you can check by going to the Windows Update section of the Update & Security page in the default Settings app.