Today, McAfee has announced that it has discovered a new
vulnerability in Windows 10’s Cortana digital assistant which
could be used to manipulate locked systems with physical
access. It’s worth noting that the two new flaws have been
addressed as part of
Microsoft’s August update for Windows 10.
The vulnerability was discovered by McAfee Labs Advanced
Threat Research team and the researchers responsible disclosed
it with Microsoft which addressed the vulnerabilities in
The company says that the locked Windows 10 devices with
Cortana could allow an attacker with physical access to do two
kinds of unauthorized browsing on the unpatched systems.
The vulnerabilities could allow the attackers:
- The attacker can force Microsoft Edge to navigate to an
- The attacker can use a limited version of Internet Explorer
11 using the saved credentials of the victim.
“In the first scenario, a Cortana privilege escalation leads to
forced navigation on a lock screen. The vulnerability does not
allow an attacker to unlock the device, but it does allow
someone with physical access to force Edge to navigate to a
page of the attacker’s choosing while the device is still
locked. This is not a case of BadUSB, man in the middle, or
rogue Wi-Fi, just simple voice commands and interacting with
the device’s touchscreen or mouse,” researchers Cedric
Cochin and Steve Povolny explains in a blog post.
Some additional discoveries by McAfee being addressed in the
latest set of Patch Tuesday updates include:
- McAfee researchers discovered that Cortana can be forced to
open an attacked-controlled page while in a locked state. One
way bad actors can take advantage of this vulnerability is to
manipulate Wikipedia pages (which Cortana frequently references
while in locked mode as a “trusted site”) to contain malicious
links and information.
- Researchers also discovered that attackers can access and
navigate Internet Explorer through the Internet Explorer engine
are enabled. Using this method, while the device is still
locked attackers would be able to post comments on a public
forum from another user’s device or impersonate the user thanks
to its cached credentials.