Security News > 2021 > July > Microsoft fixes Windows Hello authentication bypass vulnerability
![Microsoft fixes Windows Hello authentication bypass vulnerability](/static/build/img/news/alt/data-breach-stats-medium.jpg)
Microsoft has addressed a security feature bypass vulnerability in the Windows Hello authentication biometrics-based tech, letting threat actors spoof a target's identity and trick the face recognition mechanism into giving them access to the system.
As discovered by CyberArk Labs security researchers, attackers can create custom USB devices that Windows Hello will work with to completely circumvent Windows Hello's facial recognition mechanism using a single valid IR frame of the target.
Tsarfati reported the Windows Hello vulnerability tracked as CVE-2021-34466 and rated as Important severity to Microsoft in March.
Microsoft has released Windows 10 security updates to address the CVE-2021-34466 Windows Hello Security Feature Bypass Vulnerability as part of the July 2021 Patch Tuesday.
According to Redmond, Windows Hello customers with biometric sensor hardware and drivers with support for Enhanced Sign-in Security are not exposed to attacks abusing this security flaw.
"Customers with Windows Hello Enhanced Sign-in Security are protected against such attacks which tamper with the biometrics pipeline," Microsoft said in a statement.
News URL
Related news
- Microsoft deprecates Windows NTLM authentication protocol (source)
- Microsoft announces first Windows 10 Beta build since 2021 (source)
- Microsoft Research chief scientist has no issue with Windows Recall (source)
- Microsoft makes Windows Recall opt-in, secures data with Windows Hello (source)
- Windows Recall will be opt-in and the data more secure, Microsoft says (source)
- New PHP Vulnerability Exposes Windows Servers to Remote Code Execution (source)
- Azure Service Tags Vulnerability: Microsoft Warns of Potential Abuse by Hackers (source)
- Let's kick off our summer with a pwn-me-by-Wi-Fi bug in Microsoft Windows (source)
- Microsoft Issues Patches for 51 Flaws, Including Critical MSMQ Vulnerability (source)
- Microsoft deprecates Windows DirectAccess, recommends Always On VPN (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-07-16 | CVE-2021-34466 | Authentication Bypass by Spoofing vulnerability in Microsoft Windows 10 Windows Hello Security Feature Bypass Vulnerability | 5.7 |