Locked Win10 PCs can leak sensitive data via Cortana

Researchers from security vendor McAfee have demonstrated a way to use Microsoft's personal digital assistant Cortana as an attack vector to get into locked Windows 10 PCs.

McAfee's researchers found three serious vulnerabilities that used Cortana to leak sensitive information and to execute attack code.

They discovered that Cortana is tied in with the Windows file indexing service and, if given the right query, will bring up a contextual menu on a locked PC.

This could be used to expose information stored in files at the default indexed locations, McAfee said.

By dropping an executable file through phishing or another vector, or a PowerShell script, the researchers found they were able to run code at the privilege level of the logged in user, but this "probably does not represent much of an attack vector," they said.

One limitation is that attackers cannot pass command line parameters to the malicious code in question, and the payload has to be indexed by Windows. 

That and other factors such as execution policy limiting what can be run, and dropping PowerShell scripts with remote access to the PC or its login screen, limited the effectiveness of the attack.

However, Cortana is again overly helpful and can be tricked into executing code via simple questions such as "What time is it?" and pressing the ESC key and space bar to bring up a contextual menu to type in commands.

Microsoft has acknowledged the vulnerabilities which affect 32-bit and 64-bit Windows 10 and Windows Server versions 1709 and 1803, and issued a combined patch for them.

McAfee suggested turning off Cortana on the Windows 10 lockscreen on systems that haven't been patched.

Microsoft, Apple, Amazon and other vendors have struggled to keep their respective personal digital assistants from straying into dangerous territory as their respective capabilities grow.