Microsoft Vulnerability Allows Unauthorized Browsing

Researchers have detected a privilege escalation vulnerability with Cortana that allows hackers to gain physical access and do unauthorized browsing on your locked system.  Researchers working at security firm McAfee have observed two different scenarios of such attacks taking place. One, a hacker forcing Microsoft Edge to navigate to some other URL and two, a hacker using your credentials to access a limited version of Internet Explorer.

A post authored by McAfee’s Cedric Cochin and Steve Povolny explain, “A locked Windows 10 device with Cortana enabled on the lock screen allow an attacker with physical access to the device to do two kinds of unauthorized browsing. In the first case, the attacker can force Microsoft Edge to navigate to an attacker-controlled URL; in the second, the attacker can use a limited version of Internet Explorer 11 using the saved credentials of the victim.”

Now let’s re-examine the first scenario to understand it in a much better way. The Cortana vulnerability, though it doesn’t allow an attacker to unlock a locked device, helps gain physical access and thereby force Edge to navigate to any page that an attacker chooses to go to, with the device remaining locked all the while. It’s to be understood that this is not an instance of MiTM, BadUSB or rogue Wi-Fi, this is accomplished with simple voice commands or by interacting with the system’s mouse or touchscreen.

McAfee researchers explain in detail how this works. Cortana, a virtual personal assistant, helps get quick answers directly from a Bing search when you ask a question as part of looking up something. Some responses give detailed responses, which would include links to trusted websites. These links are clickable even when the device is locked, and thus, through these links, an attacker can force navigate to a website.

The McAfee post says-“Cortana is very helpful when it comes to defining terms, or looking up corporations, movies, artists, or athletes. She can even do the math. However, Cortana’s behavior and the answers she gives are affected by the way you ask a question. For example, if you were to ask the colloquial question “Hey Cortana, what is McAfee?” you would get a quick answer directly from a Bing search. If, however, you asked only “Hey Cortana, McAfee,” you would receive a more detailed response, including links to various trusted sites.”

The post also explains how an attacker can ask a question and from the Wikipedia articles for the search term, get to know the official website link too. The attacker can then purchase a cheaper domain and install an exploit kit on this newly acquired domain, thereby infecting locked Windows 10 PC with Cortana enabled, without ever logging in.

The researchers also explain how the second scenario works. They show how when you type “Hey Cortana, I want to sell my house”, you get results for Real Estate Search and Haunted house. Now, if you select Real Estate Search, you’d be taken to a login screen containing a link to Privacy Policy. This privacy policy section would contain the social media links- Facebook, YouTube etc. Thus anyone can reach the social media without even unlocking the device.

So, by using a limited version of the Internet Explorer 11, an intruder can visit a website or post unwarranted comments on some forum while the user is away after having locked the device. There is another danger also, particularly when the company offers password reset options. The McAfee post explains- “One potential attack scenario arises if a corporation offers a mechanism to reset Windows credentials via a web server but does not require users to re-enter the old password. One could simply navigate to the reset link, input a new password, exit the limited navigator, and unlock the device with the newly set password, all from a locked computer.”

The vulnerabilities have been fixed, with Microsoft’s August update. But the best mitigation, as per the McAfee researchers, is to turn off Cortana on the lock screen.