Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Vulnerability in Cortana, Now Patched, Allowed Attacker To Access a Locked Computer, Change Its Password (bleepingcomputer.com)

Posted by msmash on from the lesson-learned dept.

Catalin Cimpanu, reporting for BleepingComputer: Microsoft has patched a vulnerability in the Cortana smart assistant that could have allowed an attacker with access to a locked computer to use the smart assistant and access data on the device, execute malicious code, or even change the PC's password to access the device in its entirety. The issue was discovered by Cedric Cochin, Cyber Security Architect and Senior Principle Engineer at McAfee. Cochin privately reported the problems he discovered to Microsoft in April. The vulnerability is CVE-2018-8140, which Microsoft classified as an elevation of privilege, and patched yesterday during the company's monthly Patch Tuesday security updates. Further reading: Microsoft Explains How it Decides Whether a Vulnerability Will Be Patched Swiftly or Left For a Version Update.

2 of 59 comments (clear)

  1. So, given the pace of new features in Win10 by IWantMoreSpamPlease · · Score: 4, Insightful

    How long before this bug is re-introduced?
    It's continually blows my mind people *voluntarily* use Win10...the track record of show-stopping problems with this OS is well known.

    --
    So rise up, all ye lost ones, as one, we'll claw the clouds.
    1. Re:So, given the pace of new features in Win10 by Solandri · · Score: 4, Insightful

      The bugs don't bother me - they're inevitable. It's the "features" that are deliberately put into Win 10 which annoy me most. I changed the program associated with several file types to non-Microsoft programs soon after upgrading to Win 10. After last week's patch, instead of launching the program when double-clicking on the associated file type, it popped up the standard "no associated program" dialog and asked if I wouldn't rather want to use the Microsoft product instead of the one I'd selected.

      If I went to the trouble to change the default to a different program, that should be a pretty clear indication that I don't want to use the default Microsoft program. Please stop bugging me about it. This is supposed to be an operating system that I paid for, not an advertising platform. I'm worried we're headed down the same path as Cable TV - where originally you paid for cable so you wouldn't have to watch ads like on broadcast TV. But soon the cable channels figured out they could charge you for the channel AND put ads in their programming.