Software // Enterprise Applications
News
2/1/2007
12:18 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Microsoft Confirms Vista Speech Attack Tactic

The company downplays the scenario since the targeted system would need to have the speech recognition feature previously activated and configured.

Windows Vista's speech recognition feature can be used by pranksters to remotely force a PC into executing some commands, Microsoft has confirmed, but the company's security team downplayed the threat.

After several security researchers posted messages on mailing lists detailing how a prank could be done -- a malicious Web site, for example, could host an audio file that shouted out commands to shut down the system -- Microsoft's Security Response Center (MSRC) replied in a blog entry Wednesday.

"In order for the attack to be successful, the targeted system would need to have the speech recognition feature previously activated and configured," wrote Adrian Stone, a MSRC program manager. "Additionally the system would need to have speakers and a microphone installed and turned on. The exploit scenario would involve the speech recognition feature picking up commands [from the speaker] through the microphone such as 'copy', 'delete', shutdown', etc. and acting on them."

According to Microsoft, Vista's User Account Control (UAC) feature can't be circumvented by speech commands.

"While we are taking the reports seriously and investigating them accordingly I am confident in saying that there is little if any need to worry about the effects of this issue," said Stone.

Symantec, however, warned users that the risk is greater than Microsoft has let on.

"A poster on the Daily Dave mailing [list has] reported that he was able to craft a recording that successfully downloaded and executed a file from the Internet as well as manipulated the file system without requiring user interaction," Symantec said in an alert sent to customers late Wednesday.

Microsoft has not posted a security advisory or offered work-around advice, but users on mailing lists have suggested that Vista owners disable the speech recognition feature's ability to automatically load when the operating system launches.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.