Vista's Speech Recognition Flaw Exposed

Soon after the launch of Microsoft's much hyped operating system, Windows Vista, comes news of its speech recognition flaw. Microsoft has confirmed that Vista's speech recognition feature can be hijacked, to delete protected files or folders.

Analysts are now concerned about Vista's ability to respond to vocal commands from malicious audio on websites or e-mail. It is also pointed out, that a simple MP3 file of voice instructions can be used to tell the PC to delete documents.

However, Microsoft said the exploit is 'technically possible' but there is no need for users to worry. Adrian, a Microsoft security researcher wrote on Microsoft's security response blog, "In order for the attack to be successful, the targeted system would need to have the speech recognition feature previously activated and configured. Additionally the system would need to have speakers and a microphone installed and turned on. The exploit scenario would involve the speech recognition feature picking up commands through the microphone such as 'copy', 'delete', 'shutdown', etc. and acting on them. These commands would be coming from an audio file that is being played through the speakers. Of course this would be heard and the actions taken would be visible to the user if they were in front of the PC during the attempted exploitation."

He added, "It is not possible through the use of voice commands to get the system to perform privileged functions such as creating a user without being prompted by UAC for Administrator credentials. The UAC prompt cannot be manipulated by voice commands by default. There are also additional barriers that would make an attack difficult including speaker and microphone placement, microphone feedback, and the clarity of the dictation".

Web security firm, Symantec, has warned users that the risk is greater than Microsoft has let on. It alerted its customers late Wednesday about a poster on the Daily Dave mailing list, who reported that he was able to craft a recording that successfully downloaded and executed a file from the Internet as well as manipulated the file system without requiring user interaction. Users have suggested that Vista owners disable the speech recognition feature's ability to automatically load when the operating system launches.

Read more here.