Microsoft has confirmed an issue with the Windows Vista Speech Recognition feature.
An issue has been identified publicly where an attacker could use the speech recognition capability of Windows Vista to cause the system to take undesired actions. While this is possible there are a number of factors that make this "attack" very hard to pull off.
In order for the attack to be successful, the targeted system would need to have the speech recognition feature previously activated and configured. Additionally the system would need to have speakers and a microphone installed and turned on. The exploit scenario would involve the speech recognition feature picking up commands through the microphone such as "copy", "delete", "shutdown", etc. and acting on them. These commands would be coming from an audio file that is being played through the speakers. Of course this would be heard and the actions taken would be visible to the user if they were in front of the PC during the attempted exploitation. It is not possible through the use of voice commands to get the system to perform privileged functions such as creating a user without being prompted by UAC for Administrator credentials. The UAC prompt cannot be manipulated by voice commands by default. There are also additional barriers that would make an attack difficult including speaker and microphone placement, microphone feedback, and the clarity of the dictation.
The flaw is being regarded by many as a non issue.
View: Microsoft Security Blog
46 Comments - Add comment