Posted on July 19, 2021 at 5:10 PM
There is no doubt that Microsoft has continued having few bug or vulnerability issues, especially on its Windows system. Now, a recent report has revealed that another bug has been discovered on Cyberark’s new Windows Hello. The vulnerability, according to the report, can give serious threat actors an easy pass to the Windows PC to gain access to the user’s computer.
The hack possible for this breach can utilize an old method that doesn’t make use of the remote code execution (RCE) process used in exploiting an unpatched bug.
Instead, the hack exploits a logical vulnerability that seems to be in the Windows Hell login verification process.
The good news is the fact that the vulnerability can only be exploited physically, so hackers cannot have access remotely, unlike some other types of bugs. But security researcher at Cyberark, Omer Tsarfati, noted that there is a much higher risk at play.
He said those who are at high risk of exploitation are enterprise users, who may have enabled biometric authentication on their workpieces to phishing attackers that want to gain access to their passwords.
According to Tsarfati, the hack can bypass such protocols, which represents a high threat to the data security of Windows 10 PCs. This is especially worrying for Windows 10 systems that utilize password-less login and Windows Hello for keyless login.
Microsoft has already announced that from 2023, all laptops will be required to feature a webcam that supports Windows Hello when installing Windows 11. This will likely make such a breach very apparent for threat actors.
Microsoft says Patch for the bug has been released
In response to the vulnerability, Microsoft released a patch for the bug on July 13 that limits its exposure and mitigates the issues.
However, Tsarfati stated that the patch only prevents the vulnerability from being exploited in certain ways. He added that more sophisticated hackers could still find their way to exploit the bugs.
He recommended that Microsoft should include additional authentication when using the biometric signal to solve the vulnerability issue at once.
Microsoft, on this note, stated that it has released a patch on July 13 that limits and mitigates this issue. To this, Tsarfati states that while the Enhanced Sign-in Security step limits the use of this hack, it doesn’t entirely remove it, and recommends Microsoft to use an additional authentication layer of the biometric signal to take care of it fully.
Windows Hello uses three authentication methods: a facial recognition tool, a fingerprint scanner, and a user-generated PIN. Although the CyberArk researchers targeted the facial recognition authentication tools, it doesn’t mean there are o issues with other aspects of the system.
The facial recognition feature requires a camera with both infrared sensors and RGB onboard. The flaws could be very challenging for Windows users, which takes a good percentage of the market In December last year, Microsoft said the number of Windows users that sign in to their devices using Windows Hello has increased to 8.7% from 69.4% in 2019.
However, Microsoft didn’t say the percentage of these users that sign in using Pin or fingerprint scanner as opposed to those using facial recognition. However, with about 1.3 billion Windows users, the bug can affect millions of devices.
A motivated attack could cause problems for Windows users
Tsarfati will be presenting the team’s findings at the Black Hat security conference in Las Vegas next month. He says that the team chose the facial recognition authentication of Windows Hello because there is already a lot of research on fingerprint-sensor spoofing and PIN cracking in the industry.
He also stated that the team picked interest due to the huge amount of users that are using the Windows Hello userbase.
The research carried out by CyberArk fits the mold of the wider hacker category regarded as “downgrade attacks.” The attack, in this case, uses a mess secure mode to trick the device. It gets Windows Hello to accept static and prerecorded face data. The Security researchers wondered why Microsoft didn’t anticipate such third-party attacks on third-party cameras like the one utilized by the CyberArk team.