« Kunihiro Tsuji’s water-based MODAL loudspeaker «
» Transcend’s JetFlash T2K USB drives are light — duh »

Microsoft Downplays Vista Speech-Recognition Hack

According to security researchers, Windows Vista’s speech-recognition feature is flawed and hackers could use it to remotely force a PC to execute commands.

Microsoft confirmed the vulnerability on Wednesday — a day after the consumer launch of the new operating system — when security researchers began offering details on how pranksters could exploit the speech technology. A malicious Web site, for example, could load an audio file that shouts commands to shut down the operating system without the user’s authorization.

While some security researchers believe Vista’s first public flaw is, in fact, serious,
Microsoft is downplaying the risk, noting that a targeted system’s speech-recognition feature would need to be configured correctly for the attack to be successful.


Microsoft Speaks Out

According to the Microsoft Security Response Center (MSRC), a microphone would have to be installed and the speakers turned on for malicious users to take advantage of the weakness. “The exploit scenario would involve the speech-recognition feature picking up commands [from the speaker] through the microphone such as ‘copy,’ ‘delete,’ shutdown,’ etc. and acting on them,” Adrian Stone, MSRC program manager, wrote in an MSRC blog post.

Microsoft maintains that Vista’s User Account Control (UAC) feature — the new Vista feature responsible for not giving rogue programs administrator-level access to key operating system functions without first getting approval from users — can’t be circumvented by speech commands. And Stone said he is confident that consumers don’t need to worry about the issue. Microsoft is nonetheless taking the reports seriously and investigating them accordingly, Stone added.

However, Symantec argues that the risk is greater than Microsoft is reporting. “A poster on the Daily Dave mailing [list has] reported that he was able to craft a recording that successfully downloaded and executed a file from the Internet as well as manipulated the file system without requiring user interaction,”…

Bookmark and Share :-)
  • Digg
  • del.icio.us
  • Netvouz
  • description
  • ThisNext
  • MisterWong
  • Wists
  • Furl
  • Reddit
  • Spurl
  • StumbleUpon
  • TailRank
  • Technorati
  • YahooMyWeb

This entry was posted on Friday, February 2nd, 2007 at 6:27 am and is filed under Tech News. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

Top Computers blogs Computers Blogs - Blog Top Sites Hardware TopOfBlogs Technology Blogs - Blog Catalog Blog Directory Astronomy Blog Toplist Top Blog Topsites List BlogRankers.com Top Blog Sites Computers Blogs DigNow.org BRDTracker My Zimbio hit counters