The company downplays the scenario since the targeted system would need to have the speech recognition feature previously activated and configured.
Windows Vista's speech recognition feature can be used by pranksters to remotely force a PC into executing some commands, Microsoft has confirmed, but the company's security team downplayed the threat.
After several security researchers posted messages on mailing lists detailing how a prank could be done -- a malicious Web site, for example, could host an audio file that shouted out commands to shut down the system -- Microsoft's Security Response Center (MSRC) replied in a blog entry Wednesday.
"In order for the attack to be successful, the targeted system would need to have the speech recognition feature previously activated and configured," wrote Adrian Stone, a MSRC program manager. "Additionally the system would need to have speakers and a microphone installed and turned on. The exploit scenario would involve the speech recognition feature picking up commands [from the speaker] through the microphone such as 'copy', 'delete', shutdown', etc. and acting on them."
According to Microsoft, Vista's User Account Control (UAC) feature can't be circumvented by speech commands.
"While we are taking the reports seriously and investigating them accordingly I am confident in saying that there is little if any need to worry about the effects of this issue," said Stone.
Symantec, however, warned users that the risk is greater than Microsoft has let on.
"A poster on the Daily Dave mailing [list has] reported that he was able to craft a recording that successfully downloaded and executed a file from the Internet as well as manipulated the file system without requiring user interaction," Symantec said in an alert sent to customers late Wednesday.
Microsoft has not posted a security advisory or offered work-around advice, but users on mailing lists have suggested that Vista owners disable the speech recognition feature's ability to automatically load when the operating system launches.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?