Microsoft Downplays Vista Speech-Recognition Hack
According to security researchers, Windows Vista's speech-recognition feature is flawed and hackers could use it to remotely force a PC to execute commands.
Microsoft confirmed the vulnerability on Wednesday -- a day after the consumer launch of the new operating system -- when security researchers began offering details on how pranksters could exploit the speech technology. A malicious Web site, for example, could load an audio file that shouts commands to shut down the operating system without the user's authorization.
While some security researchers believe Vista's first public flaw is, in fact, serious, Microsoft is downplaying the risk, noting that a targeted system's speech-recognition feature would need to be configured correctly for the attack to be successful.
Microsoft Speaks Out
According to the Microsoft Security Response Center (MSRC), a microphone would have to be installed and the speakers turned on for malicious users to take advantage of the weakness. "The exploit scenario would involve the speech-recognition feature picking up commands [from the speaker] through the microphone such as 'copy,' 'delete,' shutdown,' etc. and acting on them," Adrian Stone, MSRC program manager, wrote in an MSRC blog post.
Microsoft maintains that Vista's User Account Control (UAC) feature -- the new Vista feature responsible for not giving rogue programs administrator-level access to key operating system functions without first getting approval from users -- can't be circumvented by speech commands. And Stone said he is confident that consumers don't need to worry about the issue. Microsoft is nonetheless taking the reports seriously and investigating them accordingly, Stone added.
However, Symantec argues that the risk is greater than Microsoft is reporting. "A poster on the Daily Dave mailing [list has] reported that he was able to craft a recording that successfully downloaded and executed a file from the Internet as well as manipulated the file system without requiring user interaction," Symantec said in an alert released to customers.
Much Ado About Nothing?
Most security researchers, however, appear to be siding with Microsoft's stance on the issue. "We don't think this is going to become a big deal in the real world. I guess this shows just how hard it is to think of all possible ways of attacking a system," said Mikko Hypponen, a security researcher with F-Secure.
Fred Doyle, an analyst at Verisign iDefense, said he was not surprised by the flaw. He recalled a similar flaw in the Macintosh operating system that allowed people to shut down a computer by shouting the command from afar. Like Hypponen, Doyle doesn't rate the risk high priority because the speech-recognition feature is not widely used. "As with any new release of any new software, there are bound to be some issues that were overlooked in the design," he explained. "We are researching at this time several potential flaws."
Proof of concepts on the speech-recognition flaw have been published, but Doyle said he is not aware of any malicious Web sites that are actively exploiting the vulnerability. Vista users who are concerned about the vulnerability can simply deactivate the speech-recognition feature until Microsoft issues a patch, he said.
Thomas Kristensen, CTO at Secunia, offered a similar take. "We don't really consider this a vulnerability and only a marginal group of people with this specific support for the disabled are at risk," he said. "The average user need not be concerned about this."
