Issue regarding Windows Vista Speech Recognition


Hey everyone this is Adrian and I am writing to try and clear up some concerns regarding a recently reported vulnerability in the Speech Recognition feature of Windows Vista. An issue has been identified publicly where an attacker could use the speech recognition capability of Windows Vista to cause the system to take undesired actions. While it is technically possible, there are some things that should be considered when trying to determine what the threat of exposure is to your Windows Vista system.


 


In order for the attack to be successful, the targeted system would need to have the speech recognition feature previously activated and configured. Additionally the system would need to have speakers and a microphone installed and turned on. The exploit scenario would involve the speech recognition feature picking up commands through the microphone such as “copy”, “delete”, ”shutdown”, etc. and acting on them. These commands would be coming from an audio file that is being played through the speakers.  Of course this would be heard and the actions taken would be visible to the user if they were in front of the PC during the attempted exploitation.  It is not possible through the use of voice commands to get the system to perform privileged functions such as creating a user without being prompted by UAC for Administrator credentials. The UAC prompt cannot be manipulated by voice commands by default.  There are also additional barriers that would make an attack difficult including speaker and microphone placement, microphone feedback, and the clarity of the dictation.


 


You may ask why this is new to Windows Vista as previous versions of the operating system do not appear affected. Windows Vista’s sophisticated speech recognition allows for easier operation and extended support for commands. This has been largely used to help facilitate computing use especially for users that are affected by dexterity difficulties or impairments. You can learn more about Windows Vista’s accessibility tools including speech recognition by going to http://www.microsoft.com/industry/healthcare/providers/businessvalue/housecalls/accessibletech.mspx.


 


While we are taking the reports seriously and investigating them accordingly I am confident in saying that there is little if any need to worry about the effects of this issue on your new Windows Vista installation.


 


-Adrian


 


*This posting is provided “AS IS” with no warranties, and confers no rights.*


Comments (10)

  1. Anonymous says:

    Microsoft Security Response Center blog today the following: An issue has been identified publicly where

  2. Anonymous says:

    Emerging accessibility blogifact: "If your PC tells itself to delete files, then it’s good to restart the system." That’s the gist of a security story today. If you’re running Vista, and keep Speech Recognition turned on so you can tell the computer what

  3. Anonymous says:

    Here’s the Vista Daily for Thursday, February 1, 2007. Microsoft dethrones Johnson & Johnson as Most

  4. Anonymous says:

    Stai attento, perchè Microsoft Windows Vista è così intelligente che se dici Format C: Return. ad alta voce rischia di…

  5. Anonymous says:

    Windows Vista has been on the market for roughly two week now. Here’s a roundup of some of the major

  6. Anonymous says:

    "Fronteira de segurança" (ou security boundary ) é alguma barreira pela qual código ou acesso não podem

  7. Anonymous says:

    "Fronteira de segurança" (ou security boundary ) é alguma barreira pela qual código ou acesso não podem

  8. Anonymous says:

    Windows Vista has been on the market for roughly two week now. Here’s a roundup of some of the major

  9. Anonymous says:

    It's been a long path, but we're finally at the point where I can finally present the threat

  10. Anonymous says:

    As we watched the headlines surrounding the Windows Vista consumer launch this week, we were just waiting for something to happen, other than proclamations from Bill Gates that "this changes everything." Well, apparently so was everybody else, judging..