Windows 10: McAfee discovers new Windows 10 Cortana vulnerabilities that could manipulate locked systems

Today, McAfee has announced that it has discovered a new vulnerability in Windows 10’s Cortana digital assistant which could be used to manipulate locked systems with physical access. It’s worth noting that the two new flaws have been addressed as part of Microsoft’s August update for Windows 10.

The vulnerability was discovered by McAfee Labs Advanced Threat Research team and the researchers responsible disclosed it with Microsoft which addressed the vulnerabilities in today’s patch.



The company says that the locked Windows 10 devices with Cortana could allow an attacker with physical access to do two kinds of unauthorized browsing on the unpatched systems.

The vulnerabilities could allow the attackers:

• The attacker can force Microsoft Edge to navigate to an attacker-controlled URL.
• The attacker can use a limited version of Internet Explorer 11 using the saved credentials of the victim.

“In the first scenario, a Cortana privilege escalation leads to forced navigation on a lock screen. The vulnerability does not allow an attacker to unlock the device, but it does allow someone with physical access to force Edge to navigate to a page of the attacker’s choosing while the device is still locked. This is not a case of BadUSB, man in the middle, or rogue Wi-Fi, just simple voice commands and interacting with the device’s touchscreen or mouse,” researchers Cedric Cochin and Steve Povolny explains in a blog post.

Some additional discoveries by McAfee being addressed in the latest set of Patch Tuesday updates include:

• McAfee researchers discovered that Cortana can be forced to open an attacked-controlled page while in a locked state. One way bad actors can take advantage of this vulnerability is to manipulate Wikipedia pages (which Cortana frequently references while in locked mode as a “trusted site”) to contain malicious links and information.
• Researchers also discovered that attackers can access and navigate Internet Explorer through the Internet Explorer engine and not the full browser, though both JavaScript and cookies are enabled. Using this method, while the device is still locked attackers would be able to post comments on a public forum from another user’s device or impersonate the user thanks to its cached credentials.

The post McAfee discovers new Windows 10 Cortana vulnerabilities that could manipulate locked systems appeared first on Windows Latest

Weiterlesen...

 

Can I install updates via McAfee Vulnerability Scanner

Is it advisable to install all the updates that the McAfee Vulnerability Scanner finds, and download and install them through McAfee? Thought I would be getting notifications from Microsoft on needed updates. They listed several Windows 10 updates and a
few program updates like Adobe Flash Player for Windows 10 and Shockwave Player. I've always received notifications from Adobe in the past when Flash Player needed an update. Is this new way or is McAfee just intruding?

McAfee Vulnerability Scanner Update List- Original Title

 

Windows 10 Tweaks

Pressing “Windows+Pause Break” (it’s up there next to scroll lock) opens the “System” Window.

Windows 10: In the new version of Windows, Explorer has a section called Quick Access. This includes your frequent folders and recent files. Explorer defaults to opening this page when you open a new window. If you’d rather open the usual This PC, with links to your drives and library folders, follow these steps:

• Open a new Explorer window.
• Click View in the ribbon.
• Click Options.
• Under General, next to “Open File Explorer to:” choose “This PC.”
• Click OK

credit to Lifehacker.

 

New Microsoft Edge vulnerability discovered

Read more: New Microsoft Edge vulnerability discovered, leaks password and cookie data, such as Twitter and Facebook passwords | On MSFT


Update: Microsoft responds to 3 unpatched Microsoft Edge vulnerabilities, no fixes available yet | On MSFT