Microsoft published the release notes for June 2018's Patch Tuesday yesterday. A total of 50 vulnerabilities in the following software were patched; Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, ChakraCore, and Adobe Flash Player.
Among the usual security cracks and gaffes, there was an interesting vulnerability in Cortana patched up. The details about this particular security vulnerability, CVE-2018-8140, are shared in Microsoft's Security Tech Centre here. In brief, it was a security hole that allowed a hacker to summon Cortana from the lock screen and run executables or scripts on a USB stick. It was even possible to reset the PC password this way, thus gaining full access to the computer and its files.
"An Elevation of Privilege vulnerability exists when Cortana retrieves data from user input services without consideration for status. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions," sums up CVE-2018-8140 background information.
In an email received from Tripwire about the Cortana vulnerability, it was suggested that this is an important issue to consider "as it targets a growing and popular class of technology – intelligent digital personal assistants". It is noted that Alexa has had weaknesses exposed with its 3rd party apps, and it is expected that we will see more probing of this 'attack surface'. Like Alexa, it seems that Cortana is listening to commands even if the machines is closed or locked (an optional default, see below).
Another security outfit, McAfee, has a detailed run though of this Cortana vulnerability, discussing and demonstrating how it works. The firm recommends that you apply the Microsoft Patch Tuesday updates or turn off Cortana access on your lock screen, at least until you apply the patch.
Last but not least Microsoft has released a new security advisory 4338110, and lists five known issues that it is working upon.