Flaw in Vista Speech Recognition Feature

News spread on 31st January 2007 that Microsoft's new operating system Vista is flawed in its speech recognition feature. Microsoft acknowledged that attackers could exploit the flaw and hijack the computer so it would automatically delete files or folders. Since Vista can accept vocal commands, users are concerned that malicious audio on websites or that sent via e-mail can create performance problems.

Several security researchers posted e-mail messages describing how a trick could work such as a malicious website having an audio file that could command to shut down the system so that the computer precisely does that. In response to this, Adrian Stone of Microsoft's Security Response Center wrote in a blog that the "speech recognition" quality should already be configured and activated in the targeted system for the attack to be successful. Moreover the system should have its speakers and microphone turned on. The "speech recognition" characteristic would pick up commands such as 'copy', 'delete', 'shut down' etc., from the speaker through the microphone and the system would act on those lines.

The voice commands, however, cannot get the system to conduct privileged functions such as creating a user without UAC's instructions for Administrator credentials. Voice commands can't manipulate UAC prompts by default. Other barriers that could make a strike difficult are placement of speaker and microphone, feedback from the microphone, and unclear command.

Rich Mogull, Security Analyst, Gartner Inc., thinks not many users would be interested to configure and execute the feature of voice command in Vista. , The possibility of falling prey to an attack is very low even for those who are interested. But if a user is running the feature and someone stealthily plays the right type of file, some nasty things can happen, he said, reports Washington Post.

To save users from having their computers say aloud harmful commands Microsoft recommends them to disable the speaker or microphone, deactivate the speech recognition feature, or shut down Windows Media Player when they find a file trying to run voice commands on their system. After blocking the source of that file, the system is safe again.

Related article: Flaw For PayPal Website, Opportunity For Fraudsters

» SPAMfighter News - 2/6/2007