Microsoft Confirms Vista Speech Attack Tactic - InformationWeek
IoT
IoT
Software // Enterprise Applications
News
2/1/2007
12:18 PM
50%
50%

Microsoft Confirms Vista Speech Attack Tactic

The company downplays the scenario since the targeted system would need to have the speech recognition feature previously activated and configured.

Windows Vista's speech recognition feature can be used by pranksters to remotely force a PC into executing some commands, Microsoft has confirmed, but the company's security team downplayed the threat.

After several security researchers posted messages on mailing lists detailing how a prank could be done -- a malicious Web site, for example, could host an audio file that shouted out commands to shut down the system -- Microsoft's Security Response Center (MSRC) replied in a blog entry Wednesday.

"In order for the attack to be successful, the targeted system would need to have the speech recognition feature previously activated and configured," wrote Adrian Stone, a MSRC program manager. "Additionally the system would need to have speakers and a microphone installed and turned on. The exploit scenario would involve the speech recognition feature picking up commands [from the speaker] through the microphone such as 'copy', 'delete', shutdown', etc. and acting on them."

According to Microsoft, Vista's User Account Control (UAC) feature can't be circumvented by speech commands.

"While we are taking the reports seriously and investigating them accordingly I am confident in saying that there is little if any need to worry about the effects of this issue," said Stone.

Symantec, however, warned users that the risk is greater than Microsoft has let on.

"A poster on the Daily Dave mailing [list has] reported that he was able to craft a recording that successfully downloaded and executed a file from the Internet as well as manipulated the file system without requiring user interaction," Symantec said in an alert sent to customers late Wednesday.

Microsoft has not posted a security advisory or offered work-around advice, but users on mailing lists have suggested that Vista owners disable the speech recognition feature's ability to automatically load when the operating system launches.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll