Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Microsoft Windows IT

A Vulnerability in Cortana, Now Patched, Allowed Attacker To Access a Locked Computer, Change Its Password (bleepingcomputer.com) 59

Catalin Cimpanu, reporting for BleepingComputer: Microsoft has patched a vulnerability in the Cortana smart assistant that could have allowed an attacker with access to a locked computer to use the smart assistant and access data on the device, execute malicious code, or even change the PC's password to access the device in its entirety. The issue was discovered by Cedric Cochin, Cyber Security Architect and Senior Principle Engineer at McAfee. Cochin privately reported the problems he discovered to Microsoft in April. The vulnerability is CVE-2018-8140, which Microsoft classified as an elevation of privilege, and patched yesterday during the company's monthly Patch Tuesday security updates. Further reading: Microsoft Explains How it Decides Whether a Vulnerability Will Be Patched Swiftly or Left For a Version Update.
This discussion has been archived. No new comments can be posted.

A Vulnerability in Cortana, Now Patched, Allowed Attacker To Access a Locked Computer, Change Its Password

Comments Filter:
  • by SumDog ( 466607 ) on Wednesday June 13, 2018 @11:05AM (#56777538) Homepage Journal

    He better have gotten a huge bug bounty for that. Remove code and auth changes via Cortana? That's gotta be worth at least the $10k PornHub paid for their PHP remote code execution (which wasn't even a PornHub bug, but a PHP one; so that company collected the PHP bounty on top of it as well).

    • by Anonymous Coward

      He go a thank you note and a box of tissues. Better luck next year champ.

      • by gweihir ( 88907 )

        If so, he will probably sell on the vulnerability market for >> 100k next time. People want to be honest, but the conditions need to reasonably support that decision.

  • by IWantMoreSpamPlease ( 571972 ) on Wednesday June 13, 2018 @11:11AM (#56777590) Homepage Journal

    How long before this bug is re-introduced?
    It's continually blows my mind people *voluntarily* use Win10...the track record of show-stopping problems with this OS is well known.

    • Re: (Score:2, Funny)

      by Anonymous Coward
      Most modern software that is used in the business world requires Windows 10. The telepresence and collaboration features are world-class and provide a huge boost to productivity and TTM. We have competitors that struggle along with other solutions and we're constantly celebrating wins over them, on nearly every opportunity.
      • by gweihir ( 88907 )

        And then you look at what most Fortune-500 companies actually run internally, and you find it is not Win10. I know, for example, one that finished the migration to Win7 only 2 years ago or so and will not move to Win10 at all. Instead they will move to web-terminals and Servers on RHEL. Win10 is a very bad deal for everybody (including, funnily, MS), and a lot of people are seeing that pretty clearly.

        • "Most" - such a weasel word.

          I can tell you first hand that #13 on that 500 list is Windows 10 wall-to-wall at the workstation. And #41 and #368 are Win 7/10 mix. Both will remain there for the foreseeable future.

          Fortune 500 companies employee 28.2 million people worldwide. Average that out, and those three examples above represent about 169,000 seats. It's a drop in the bucket, sure, but I bet if you really took an *honest* look at what F500 companies actually run internally (at the workstation) you w
          • by gweihir ( 88907 )

            What are you even talking about? I pointed out an example that does run Win7 and does not intend to ever go to Win10. And you are talking about "Win7/10"? Have you by accident responded to the wrong posting?

            • The grandparent rather obviously disagreeing with this statement,"And then you look at what most Fortune-500 companies actually run internally, and you find it is not Win10." The grandparent then provides a few counter examples to your argument and even gives a sample size for how relevant the grandparent's example is vs yours. Is English not your first language?

              I'm going to disagree with this one, "Win10 is a very bad deal for everybody (including, funnily, MS),"

              I work for MS, on Windows; we don't
    • why would anyone add Cortana and enable voice commands? (ahh - facebook users might - that's another whole level of stupidness)
      • by gweihir ( 88907 )

        There are a lot of people that are unable to make a distinction between "new" and "good idea". At least that is the only explanation for this stupidity I have.

    • by Solandri ( 704621 ) on Wednesday June 13, 2018 @12:51PM (#56778268)
      The bugs don't bother me - they're inevitable. It's the "features" that are deliberately put into Win 10 which annoy me most. I changed the program associated with several file types to non-Microsoft programs soon after upgrading to Win 10. After last week's patch, instead of launching the program when double-clicking on the associated file type, it popped up the standard "no associated program" dialog and asked if I wouldn't rather want to use the Microsoft product instead of the one I'd selected.

      If I went to the trouble to change the default to a different program, that should be a pretty clear indication that I don't want to use the default Microsoft program. Please stop bugging me about it. This is supposed to be an operating system that I paid for, not an advertising platform. I'm worried we're headed down the same path as Cable TV - where originally you paid for cable so you wouldn't have to watch ads like on broadcast TV. But soon the cable channels figured out they could charge you for the channel AND put ads in their programming.
    • by gweihir ( 88907 )

      Indeed. It is not that MS has gotten even more incompetent. It is that they just do not have what it takes to run a release model like the one of Win10.

  • Far too integrated into the operating system for it's own good.
    • by Dwedit ( 232252 )

      Step 1: Open administrator command prompt
      Step 2: Kill Explorer
      Step 3: Kill all the Cortana processes (Explorer automatically restarts them)
      Step 4: Using administrator command prompt, Rename C:\windows\SystemApps\Microsoft.Windows.Cortana_something to have .old at the end so Windows can't start it any more.

      Warning: May possibly break Windows Update? Not sure.

  • I thought so from the start, but when they made it so you couldn't fully disable Cortana, then I knew it for sure.

    Just like Office of the Clippy era, it's introducing vulnerabilities you can't fix unless you hack the system beyond Microsoft's specifications.

    • by gweihir ( 88907 )

      You have a fundamental misunderstanding there: "sudo" gives you the power of command, you know, like in the *nix world. Saying "please" is a thing you need to do in Windows only, where you are a lowly user to be interfaced but not empowered.

  • by WoodstockJeff ( 568111 ) on Wednesday June 13, 2018 @11:50AM (#56777874) Homepage

    "Microsoft has patched a vulnerability in the Cortana smart assistant that ALLOWS an attacker with access to a locked computer to use the smart assistant and access data on the device, execute malicious code, or even change the PC's password to access the device in its entirety."

    The patch was released 1 day ago. This vulnerability still exists for every Cortana-equipped computer that has not yet been updated.

    And how many people refuse to update because updates have a history of breaking things?

  • by TheDarkMaster ( 1292526 ) on Wednesday June 13, 2018 @11:55AM (#56777904)
    Using Windows 7 again. After the disastrous 1803 update I decided to stop playing beta operating system tester.
    • by gweihir ( 88907 )

      Since it is not feature stable, I will go ahead and call Win10 "alpha" quality.

You know you've landed gear-up when it takes full power to taxi.

Working...