Now that Windows Vista has been released to consumers, the flaw
finders are working overtime to find the first security cracks.
The quest led to an interesting discussion in recent days among
security experts on the
Dailydave mailing list about a potential way to
trick Vista's speech recognition feature into running malicious
code.
A member of the list asked if the voice command feature could
indeed be tricked if an attacker posted an audio file on a Web site
and then lured a user there, at which point the file would play and
spew audio commands at the user's machine.
List members bounced the idea around for a day or two before
one member found a way to pull it off. The early word on this
is that a user would have to have the voice command enabled on his
PC and be unconscious or away from the machine for an attack to
work. The attack is not able to bypass Vista's User Account
Control, according to the messages on the list.
The discussion has generated plenty of chatter in the
blogosphere, but nobody is suggesting this is a threat worth taking
seriously.
The
Microsoft Security Response Center (MSRC) blog acknowledged
that the software giant is looking into the issue. While the
exploit may be possible from a technical standpoint, the center
said there's little chance much could be done with this.
"In order for the attack to be successful, the targeted system
would need to have the speech recognition feature previously
activated and configured," the MSRC said. "Additionally, the system
would need to have speakers and a microphone installed and turned
on. The exploit scenario would involve the speech recognition
feature picking up commands through the microphone such as 'copy,'
'delete,' 'shutdown' etc. and acting on them."
The user would easily pick up on what was going on if they were
in front of the PC during the attempted exploitation, the MSRC
said, adding that an attack would also be hard to pull off because
it's not possible through the use of voice commands to get the
system to perform privileged functions such as creating a user
without being prompted by UAC for administrator credentials.
"While we are taking the reports seriously and investigating
them accordingly … there is little if any need to worry about the
effects of this issue on your new Windows Vista installation," the
blog entry concluded.
In the McAfee Avert
Labs blog, Pedro Bueno noted that the technique in question
really isn't new.
"I remember last year, when I was chatting with a friend, and
suddenly some out of order letters appeared in the chat room, like
'hey, I was skdhgkahgjfag, then…' and she thought that something
was really wrong with her computer," he wrote. "She figured out
that her microphone was on and the speech recognition was on too,
so for some of the sounds that she was saying at the time, out load
or to her family, Windows was trying to 'help' her to write
it."
In the final analysis, he said, "I don't really think that this
Vista speech command is so bad after all. But just like any other
service, if you don't need it, disable it!"
Adrian W. Kingsley-Hughes, a technical consultant and author
based in the UK, wrote in his PC Doctor
blog that he sees little risk in a voice activation exploit
simply because Vista isn't widespread and even fewer people will
use speech recognition. Like other experts, he said those who are
concerned should disable the speech recognition.
While nobody sees much of a threat right now, some blogs noted
that it could become a bigger source of worry someday.
"Could a voice or video file sent in an e-mail lead to disaster?
Could a friend (or foe) talking to you via voice chat take control
of your computer? Heck, could someone calling into a radio station
talk show shutdown your computer?" Joseph Fieber asked in his
It's Vista blog. "Time will tell, as their are surely those out
there trying to figure out how to make this very novel method of
attack a reality."
The Techdirt blog noted that
an attacker doesn't need a high rate of success for a technique
like this to be worth trying. "For Microsoft, it will probably be
one of several security issues it will have to deal with down the
road," the blog concluded.