The exploit circumvents Windows Hello security meaning if you log into your PC using facial recognition on Windows 10, then you should be aware that not only older versions of Microsoft's OS can be easily fooled.
While this spoofing may not be easy to reproduce by attackers, the security company is urging users of the Windows 10 Anniversary to update to the latest version of the OS, enable the "enhanced anti-spoofing" feature (if available) and reconfigure Windows Hello Face Authentication from scratch after proceeding.
Windows Insiders running Build 170653 or later can now try out this feature.
Basically, you'll need to set up Windows Hello again on your device to dodge the exploit completely.
Microsoft developed Hello to add an extra layer of biometric protection to the Windows 10 operating system.
Trump official claims North Korea to blame for WannaCry cyber attack
He said North Korean hackers were still at work last week, and were shut down by a retaliatory response by the USA and others. While the attack cost organisations billions, it didn't generate much ransom, perhaps as little as $200,000 .
This meant that Microsoft was basically admitting that its own Surface Pro 4 device, which is powered by a 6th-gen Intel Core chip, doesn't meet its own security standards.
Even those running the latest Fall Creators Update could potentially be victims here. However, the attack was only successful on version 1703, the Creators Update rolled out in Spring 2017, and 1709, the Fall Creators Update now being rolled out, when anti-spoofing was disabled. It is the update version KB4053577, which patches issues that may cause the reset of its global settings preference file. Windows Hello must also be entirely reconfigured to prevent a successful attack, so facial recognition should be manually disabled and then turned back on.
A key element of the attack appears to be taking a headshot of the authenticated user with the near-infrared (IR) camera.
While it's definitely good news to hear that the Creators Update and Fall Creators Update have hardened defenses against spoofing, we must point out that the majority of the notebooks that are shipping these days with Windows Hello cameras don't actually support anti-spoofing. However, the discovery's still a significant weakness for Windows Hello, described by Microsoft as the "most secure way" to unlock Windows 10.
The two videos show the proof of concept attacks, while the third shows how it still works after the system is upgraded to version 1709-assuming Windows Hello was in place in a previous version and hasn't yet been reconfigured after the update.