Security Blog Log: Vista voice trick more amusement than concern

This week in Security Blog Log: Much is made of a technique that could trick Vista's voice command feature into running malicious code. But it doesn't look like much of a threat.

Now that Windows Vista has been released to consumers, the flaw finders are working overtime to find the first security cracks.

The quest led to an interesting discussion in recent days among security experts on the Dailydave mailing list about a potential way to trick Vista's speech recognition feature into running malicious code.

A member of the list asked if the voice command feature could indeed be tricked if an attacker posted an audio file on a Web site and then lured a user there, at which point the file would play and spew audio commands at the user's machine.

List members bounced the idea around for a day or two before one member found a way to pull it off. The early word on this is that a user would have to have the voice command enabled on his PC and be unconscious or away from the machine for an attack to work. The attack is not able to bypass Vista's User Account Control, according to the messages on the list.

The discussion has generated plenty of chatter in the blogosphere, but nobody is suggesting this is a threat worth taking seriously.

About Security Blog Log:
Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at [email protected].

Recent columns:

Storm Trojan: Worse than it should have been

TJX gets little sympathy from blogosphere

'Month-of' flaw projects come under fire

The Microsoft Security Response Center (MSRC) blog acknowledged that the software giant is looking into the issue. While the exploit may be possible from a technical standpoint, the center said there's little chance much could be done with this.

"In order for the attack to be successful, the targeted system would need to have the speech recognition feature previously activated and configured," the MSRC said. "Additionally, the system would need to have speakers and a microphone installed and turned on. The exploit scenario would involve the speech recognition feature picking up commands through the microphone such as 'copy,' 'delete,' 'shutdown' etc. and acting on them."

The user would easily pick up on what was going on if they were in front of the PC during the attempted exploitation, the MSRC said, adding that an attack would also be hard to pull off because it's not possible through the use of voice commands to get the system to perform privileged functions such as creating a user without being prompted by UAC for administrator credentials.

"While we are taking the reports seriously and investigating them accordingly … there is little if any need to worry about the effects of this issue on your new Windows Vista installation," the blog entry concluded.

In the McAfee Avert Labs blog, Pedro Bueno noted that the technique in question really isn't new.

"I remember last year, when I was chatting with a friend, and suddenly some out of order letters appeared in the chat room, like 'hey, I was skdhgkahgjfag, then…' and she thought that something was really wrong with her computer," he wrote. "She figured out that her microphone was on and the speech recognition was on too, so for some of the sounds that she was saying at the time, out load or to her family, Windows was trying to 'help' her to write it."

In the final analysis, he said, "I don't really think that this Vista speech command is so bad after all. But just like any other service, if you don't need it, disable it!"

Adrian W. Kingsley-Hughes, a technical consultant and author based in the UK, wrote in his PC Doctor blog that he sees little risk in a voice activation exploit simply because Vista isn't widespread and even fewer people will use speech recognition. Like other experts, he said those who are concerned should disable the speech recognition.

While nobody sees much of a threat right now, some blogs noted that it could become a bigger source of worry someday.

"Could a voice or video file sent in an e-mail lead to disaster? Could a friend (or foe) talking to you via voice chat take control of your computer? Heck, could someone calling into a radio station talk show shutdown your computer?" Joseph Fieber asked in his It's Vista blog. "Time will tell, as their are surely those out there trying to figure out how to make this very novel method of attack a reality."

The Techdirt blog noted that an attacker doesn't need a high rate of success for a technique like this to be worth trying. "For Microsoft, it will probably be one of several security issues it will have to deal with down the road," the blog concluded.

Read more on IT risk management