Posted by Blair in Security
Imagine you open up your shiny new Windows Vista notebook. You’re feeling confident, feeling secure. You connect to the Internet. Suddenly, as you’re surfing a webpage, audio plays through the speakers. As you watch, the built-in microphone pics it up, and Vista’s voice recognition is enabled. The audio from the webpage then opens Windows Explorer, deletes all your documents, and empties the recycle bin. This is just one scenario, and it’s been confirmed by Microsoft as a possible exploit. Here’s a portion of the official response from Microsoft:
Thanks for your patience as I looked into this. I heard back from the folks at the MSRC, and they let me know that Microsoft is investigating public reports of a possible vulnerability in Windows Vista?s speech recognition feature. Microsoft?s initial investigation reveals that this vulnerability could allow an attacker to use the speech recognition feature in Windows Vista to verbally execute commands on a user?s computer. The attackers? commands are limited to the rights of the logged on user. User Account Control prohibits the attacker from executing any administrative level commands.
In order for an attack to be successful, the user would have to have a microphone and speakers connected to their system. In addition, the user would have had to configure the speech recognition feature. The attackers? audio file would then issue verbal commands via the systems speakers that could potentially be carried out by the speech recognition feature. Based on the initial investigation, Microsoft recommends customers take the following action to protect themselves from potential exploitation of the reported vulnerability:
- A user can turn off their computer speakers and/or microphone.
- If a user does run an audio file that attempts to execute commands on their system, they should close the Windows Media Player, turn off speech recognition and restart their computer.
I still haven’t decided. Is this more funny, or scary?