Microsoft Recall Flaw Allows Data Extraction via DLL Injection

Severity: Medium (Score: 51.9)

Sources: Thecyberexpress, Itnews.Au

Summary

Researchers have identified a vulnerability in Microsoft's redesigned Recall feature for Windows 11, which allows attackers to extract decrypted user data, including screenshots and metadata. The flaw is attributed to the AIXHost.exe process, which lacks sufficient protections, enabling DLL injection attacks without requiring administrative privileges. The TotalRecall Reloaded tool exploits this vulnerability by embedding itself into AIXHost.exe after user authentication through Windows Hello. Microsoft has defended the architecture, stating that the behavior operates within the documented security design and does not constitute a vulnerability. The incident follows a previous discovery by researcher Alexander Hagenah in 2024, which led to Recall's temporary suspension. Microsoft redesigned Recall with enhanced security features, but the current issue highlights a gap in the implementation. No specific CVEs have been assigned to this vulnerability yet. The attack can occur with standard user permissions, raising concerns about user data security. Key Points: • TotalRecall Reloaded exploits a flaw in AIXHost.exe, allowing data extraction post-authentication. • Microsoft claims the behavior is within the documented security design and not a vulnerability. • The attack requires no special privileges beyond those of the logged-in user.

Key Entities

• Data Breach (attack_type)
• Malware (attack_type)
• T1055 - Process Injection (mitre_attack)
• SQLite (platform)
• Windows (platform)
• Windows 11 (platform)
• Totalrecall.exe (tool)
• Totalrecall_payload.dll (tool)
• TotalRecall Reloaded (tool)