Microsoft wants Cortana to become your bona fide Windows assistant. You can talk to her with a “Hey Cortana” and the assistant will do tasks you command. As you would expect, one of the commands is not “Hey Cortana, break into a Windows 10 device”. However, there is a vulnerability in Cortana that leaves Windows machines wide open.

Security firm McAfee says a flaw in Cortana, specifically the ability to use the assistant from the lock screen.

This situation can be exploited to execute code from the locked screen to access the machine. In its report, McAfee says this works even on patched PCs up to Redstone 3, the Fall Creators Update.

It is worth noting that Microsoft used yesterday’s (June 12) Patch Tuesday to fix this problem. If you have taken the cumulative update you should be fine, but if not, you may not want to leave your PC lying around.

Accessing Cortana from the lock screen could allow hackers to execute malicious software. Of course, the attacker would need physical access and some alone time with a machine.

McAfee shows how the assistant can be used to execute code from a USB drive attached to the PC and from the lock screen.

The code could be PowerShell script that would be able to change system aspects, such as account password. Windows 10 automatically indexes files for Cortana to search, even if the device is locked. It is this aspect of the assistant that could be exploited:

  • Land a PowerShell script in a location that will be indexed
    • Public folder, public share, or OneDrive
  • Execute a search query that will show the document and click on it
  • “Hey Cortana, PS1”
  • Select the PowerShell script you just indexed and left click
  • The PowerShell script opens in Notepad
  • Execute a search query that will show the recent documents, right click, and…
  • Using Cortana, type or search in the contextual menu for “txt”
  • Right click on the PowerShell script in the Recent category under the Apps tab at the top (not Documents)
  • Click “Run with PowerShell”

Mitigation

McAfee says the best way to protect against this flaw is to patch your Windows 10 through this week’s Patch Tuesday. However, not everyone will be able to update, so the obvious mitigation is to turn off Cortana on the lock screen.