14 DAY TRIAL // Just as Windows Vista has hit the shelves, Microsoft has confirmed the existence of a remote execution vulnerability in the operating system's speech recognition capabilities, and stated that the matter is currently under investigation.
According to Microsoft, after the initial evaluation of public reports of the vulnerability, the flaw could allow the execution of verbal commands on a user's machine, with the same privileges as the user. "An issue has been identified publicly where an attacker could use the speech recognition capability of Windows Vista to cause the system to take undesired actions," revealed a representative of the Microsoft Security Response Center.
However, Microsoft claims that the vulnerability is only technically possible and that the users' exposure is limited. "In order for the attack to be successful, the targeted system would need to have the speech recognition feature previously activated and configured. Additionally the system would need to have speakers and a microphone installed and turned on. The exploit scenario would involve the speech recognition feature picking up commands through the microphone such as "copy", "delete", "shutdown", etc. and acting on them. These commands would be coming from an audio file that is being played through the speakers," added the MSRC representative.
Microsoft doubts the efficiency of such exploits due to the fact that they would have to be made at an audible level, and not concealed from the user. Additionally, by simply using voice functions, it is not possible to perform actions with elevated privileges or bypassing the UAC.
"The UAC prompt cannot be manipulated by voice commands by default. There are also additional barriers that would make an attack difficult including speaker and microphone placement, microphone feedback, and the clarity of the dictation," explained the MSRC representative.