This month’s Patch, er sorry, Update Tuesday includes fixes for 50 high-impact vulnerabilities in Microsoft Windows – 11 of which were rated Critical and 39 Important.
The majority of the Critical bugs patched in this update affect the Edge browser, while most of the Important bugs belonged to Windows 10.
One of the more interesting Windows 10 fixes in this update was a Cortana bug (CVE-2018-8140) that allowed an attacker to bypass the Windows lock screen entirely, accessing private data on the machine, and even running executables.
An Elevation of Privilege vulnerability exists when Cortana retrieves data from user input services without consideration for status. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions.
It’s worth noting that Cortana is automatically enabled on the default settings for Windows 10, including the lock screen. With about 150 million people using Cortana today, by Microsoft’s estimates, this vulnerability could affect a lot of people (although an attacker needs to be near enough to a vulnerable machine for it to hear them, obviously).
Apple fanboys would do well to remember that Siri is no stranger to lock screen bugs should they be tempted to throw any stones from the comfort of their glass houses!
Thankfully, there’s now a patch. If you aren’t planning to patch any time soon you can disable Cortana access on the lock screen.
The fallout from Spectre and its progeny continues, and this Update includes mitigations against Speculative Store Bypass (CVE-2018-3639); however, anyone who wants to deploy these protections will need to enable them manually as Microsoft says they aren’t enabled by default in this update.
Other bug fixes include additional protections for Windows 2008 through Windows 10 against Meltdown (CVE-2017-5754) and two variants of Spectre: CVE-2017-5715 aka Spectre variant two, and CVE-2018-3639 aka SpectreNG.
MikeP
But what avout the many more millions still running W8, W8.1 or W7? They are still the majority of users according latest industry figures. So what has been patched in those OSs?
Nobody_Holme
Cortana on your lock screen is an awful data leaker anyway. I found it easier to just disable her on the lock screen, as unlocking is a swipe and very quick pin entry anyway, even without Microsoft Hello to help. With Hello enabled hardware, i can log in faster than i can put on my headset to hear her, although that doesn’t apply to mobile hardware using the speakers.
Then again, do i want to let everyone in range hear her answering me?
Bryan
That may vary radically with what you’ve asked. :,)
Bryan
Okay Google,
tell Siri
to ask Alexa
to have Cortana
relay to Maria
that I enjoyed the headline to her article. Oh yeah, the article too.