Serious Microsoft Security Flaw Exposed Using Voice Commands
Microsoft Australia has not said how many Australians are affected by the exposure of a serious flaw that allows Microsoft’s digital assistant Cortana running Windows 10 to be easily infected with a Virus.
ChannelNews understands that tens of thousands of people who have purchased new computers could be affected.
Independent Israeli security researchers found the major security flaw this week when delivering simple voice commands.
What they discovered is that they could easily install malware and launch websites from a computer’s locked screen. Contributing to the problems were security issues with Windows 10 that allows a device to connect to a different network while it is still locked.
This means an attacker can connect a USB with a network adapter and ask Cortana to open an unencrypted and potentially dangerous website.
The two Israeli researchers, Tal Be’ery and Amichai Shulman, found that Cortana responds to some voice commands even when the computer is in sleep mode and locked.
Microsoft, they have resolved the problem, however the researchers say Cortana still responds to commands when locked.
The researchers told Vice Motherboard that this could allow someone to plug a USB with a network adapter into a computer and command Cortana to open the device’s web browser and go to a specific web address, even ones that don’t use https, meaning that the traffic between the user’s device and the website is not encrypted.
The malicious network adapter can then intercept the web sessions to send the device to a malicious website, where malware can be downloaded to the machine.
‘We still have this bad habit of introducing new interfaces into machines without fully analyzing the security implications of it,’ says Be’ery.
‘Every new machine interface that we introduce creates new types of vehicles to carry an attack vector into your computer.’
The attacker could also connect the computer to a Wi-Fi network controlled by the attacker by clicking on a specific network, even when the computer it locked.
The researchers are set to present their findings this Friday at the Kaspersky Analyst Security Summit in Cancun, Mexico.
