Hey everyone this is Adrian and I am writing to try and clear up some concerns regarding a recently reported vulnerability in the Speech Recognition feature of Windows Vista. An issue has been identified publicly where an attacker could use the speech recognition capability of Windows Vista to cause the system to take undesired actions. While it is technically possible, there are some things that should be considered when trying to determine what the threat of exposure is to your Windows Vista system.
In order for the attack to be successful, the targeted system would need to have the speech recognition feature previously activated and configured. Additionally the system would need to have speakers and a microphone installed and turned on. The exploit scenario would involve the speech recognition feature picking up commands through the microphone such as “copy”, “delete”, ”shutdown”, etc. and acting on them. These commands would be coming from an audio file that is being played through the speakers. Of course this would be heard and the actions taken would be visible to the user if they were in front of the PC during the attempted exploitation. It is not possible through the use of voice commands to get the system to perform privileged functions such as creating a user without being prompted by UAC for Administrator credentials. The UAC prompt cannot be manipulated by voice commands by default. There are also additional barriers that would make an attack difficult including speaker and microphone placement, microphone feedback, and the clarity of the dictation.
You may ask why this is new to Windows Vista as previous versions of the operating system do not appear affected. Windows Vista’s sophisticated speech recognition allows for easier operation and extended support for commands. This has been largely used to help facilitate computing use especially for users that are affected by dexterity difficulties or impairments. You can learn more about Windows Vista’s accessibility tools including speech recognition by going to http://www.microsoft.com/industry/healthcare/providers/businessvalue/housecalls/accessibletech.mspx.
While we are taking the reports seriously and investigating them accordingly I am confident in saying that there is little if any need to worry about the effects of this issue on your new Windows Vista installation.
-Adrian
*This posting is provided “AS IS” with no warranties, and confers no rights.*