By Stan Beer Friday, 02 February 2007
It appears that Microsoft's new operating system Windows Vista is too smart for its own good. A blogger has found that Vista's speech recognition system is good enough for hackers to issue security breaching commands using malicious sound files on rogue websites.
One of less touted features of Vista is its vastly improved speech recognition system, which allows users to issue commands using spoken words instead of via the keyboard. Naturally, the question arises as to whether hackers could exploit this feature by issuing recorded commands through a computer's speakers.
According to a ZDNet blogger, the answer is yes. George Ou reported that he played a sound file on his PC containing commands which Vista subsequently recognized and executed.
After getting wind of the report by Ou, Microsoft responded by pointing out that a computer would have to be equipped with speakers and have a microphone attached. In addition speech recognition would need to be enabled. Finally, the User Account Control (UAC) security feature of Vista would by default not allow administrator level privileges to be executed by voice.
However, these days many PC users communicate over their computers using Internet telephony programs such as Skype and thus have microphones and speakers permanently attached. In addition, many laptop PCs have built-in microphones and speakers. Also, it may seem strange to many users not to enable a key feature of Vista such as speech recognition.
Therefore, it would appear that on at least a significant proportion of PCs, the conditions may be right for a potential exploit to take place. As far as the UAC is concerned, some reviewers have tipped that there may be a fair proportion of users who may disable it because of the continual annoyance of having to tick query boxes.
The conditions for an attack to occur, therefore, may not be as rare as Microsoft indicates. However, the advice that users should turn off their speakers and microphones when they leave their PCs would appear to be sound (no pun intended).