The Problem with Vista Voice Rec

The Problem with Vista Voice Recognition
by Mark Joseph Edwards, News Editor, mark@ntsecurity.net

Among Windows Vista's new features is robust voice recognition, which sounds rather innocuous. But as it turns out, that isn't the case.

The voice recognition feature lets you talk to the computer (fortunately, it doesn't talk back!) to issue commands, dictate documents, and so on. Therein resides the first vulnerability discovered since Vista's release to consumers last week. Vista can act on verbal commands, and it doesn't matter where those commands come from--they can even come from your computer's speakers!

In his blog, Sebastian Krahmer wrote: "Yesterday I had the idea to use Vista's speech recognition system for remote exploiting. By embedding commands into a soundfile offered by an evil website or into all these Web 2.0 videos, remote attackers might be able to execute commands on a Vista system while they are
spoken upon viewing." http://list.windowsitpro.com/t?ctl=4975D:6C179869417CFF56788BC9E860EBE818

Shortly after Krahmer echoed his idea onto the Dailydave mailing list (at the URL below) George Ou decided to give it a try. He made an audio file with embedded spoken commands and played the file. His Vista computer acted on the commands. Microsoft subsequently confirmed the vulnerability. http://list.windowsitpro.com/t?ctl=4975C:6C179869417CFF56788BC9E860EBE818

The vulnerability leaves plenty of room for intruders to go hog-wild creating all sorts of malicious audio-command files. Fortunately, the voice recognition system isn't enabled by default in new Vista installations. Nevertheless, I have to wonder along with Ou why Microsoft didn't integrate a preliminary security system into the voice recognition system. By not requiring some sort of spoken passphrase, the company left a door wide open in Vista.

In Microsoft's Security Response Center blog, Adrian wrote, "It is not possible through the use of voice commands to get the system to perform privileged
functions such as creating a user without being prompted by UAC for Administrator credentials. The UAC prompt cannot be manipulated by voice commands by default." http://list.windowsitpro.com/t?ctl=49755:6C179869417CFF56788BC9E860EBE818

While that's true, it's still possible to delete files, execute code that doesn't require elevated privileges, and do who knows what other mischief. So, if you must use the voice command system, at least turn off the microphone when you're finished. Hopefully, Microsoft will release a fix for this problem soon. In the meantime, be careful of running audio files with unknown content and of pranksters who might walk by your desk or call you on VoIP and say things like "shut down."