On CBS MoneyWatch: Double Foreclosures for Nicolas Cage
BNET Business Network:
BNET
TechRepublic
ZDNet

January 31st, 2007

Microsoft confirms Vista Speech Recognition remote execution flaw

Posted by George Ou @ 1:42 pm

Categories: Desktop, News, Security, Vista

Tags:

In Focus » See more posts on: Vista

After my initial reports on the first Vista Remote Exploit, a Microsoft spokesperson responded to me with the following message.

Thanks for your patience as I looked into this. I heard back from the folks at the MSRC, and they let me know that Microsoft is investigating public reports of a possible vulnerability in Windows Vista’s speech recognition feature. Microsoft’s initial investigation reveals that this vulnerability could allow an attacker to use the speech recognition feature in Windows Vista to verbally execute commands on a user’s computer. The attackers’ commands are limited to the rights of the logged on user. User Account Control prohibits the attacker from executing any administrative level commands.

In order for an attack to be successful, the user would have to have a microphone and speakers connected to their system. In addition, the user would have had to configure the speech recognition feature. The attackers’ audio file would then issue verbal commands via the systems speakers that could potentially be carried out by the speech recognition feature. Based on the initial investigation, Microsoft recommends customers take the following action to protect themselves from potential exploitation of the reported vulnerability:

  • A user can turn off their computer speakers and/or microphone.
  • If a user does run an audio file that attempts to execute commands on their system, they should close the Windows Media Player, turn off speech recognition and restart their computer.

Microsoft will continue its investigation and will provide additional guidance and mitigation to further help protect customers as necessary. Upon completion of this investigation, Microsoft will take further action to help protect our customers.

It’s important to note that Windows Vista has been developed with the highest attention to security and is the first client-based operating system to go through the complete Security Development Lifecycle (SDL). Building on the significant security advances in Windows XP Service Pack 2, Windows Vista includes fundamental architectural changes that will help make customers more secure from evolving threats, including worms, viruses, and malware. These improvements minimize the operating system’s attack surface area, which in turn improves system and application integrity and helps organizations more securely manage and isolate their networks.

Customers who believe they are affected should contact Product Support Services, at no charge, using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location: http://support.microsoft.com/security.

This pretty much confirms what I've been saying all along and I had recommended that Vista users do not leave their Speech Recognition feature unattended.  However, good security defenses should never rely on user action to prevent exploits.  It is my belief that Microsoft should filter out sounds coming from the computer which makes its way back in to the system via Microphone before it gets processed by the Speech Recognition engine as the long term solution.  A short term solution is for Microsoft to implement keywords like Apple which allows a user to select a unique word to say to unlock a speech recognition engine.  At this point in time, Microsoft will not commit to a patch and are still investigating the issue.

I've also done some further experimentation that this exploit can be very nasty even if it can't execute with administrative privileges or bypass UAC.  I have verified that I can create a sound file that can wake Vista speech recognition, open Windows Explorer, delete the documents folder, and then empty the trash.  Then we have to consider the fact that people do leave many webpages open over night and some of those may have rotating flash ads that can play sounds.  If that's not a serious exploit, I don't know what is.  One can always rebuild system files by reinstalling the Operating System, data files can't be recovered since the vast majority of people don't backup.

[Update 2/1/2007]
Disagreement over impact of Vista’s analog hole

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 48 Talkback(s)
RE: Microsoft confirms Vista Speech Recognition remote execution flaw
What about using the password option once your screensaver de-activates? Just a thought. (Read the rest)
Posted by: Althar if Posted on: 10/20/07 You are currently: a Guest | | Terms of Use
what is the relationship?  patibulo | 01/31/07
Very simple  nucrash | 01/31/07
But they already said to turn off the media player and shut down speech  georgeou | 01/31/07
I don't know where that came from  georgeou | 01/31/07
But he does have a point...  Tony Agudo | 01/31/07
You don't even need to logoff  georgeou | 01/31/07
I do see a problem with this  nucrash | 02/01/07
Ouch...  Tony Agudo | 02/01/07
Surprising it was easier than that  nucrash | 02/01/07
Very different situation  mdemuth | 02/01/07
I love it!  nomorems | 02/01/07
"your mouse has moved, windows needs to reboot"  kraterz | 01/31/07
Don't they have HEADPHONES in Redmond?  dave.leigh@... | 01/31/07
There was a Dilbert strip...  bportlock | 02/01/07
The UserFriendly strips were better  dave.leigh@... | 02/01/07
Loved the deletion strip  Tony Agudo | 02/01/07
I guess headphones is one solution  zkiwi | 01/31/07
Sure, but not everyone uses headphones  georgeou | 02/01/07
I think a better solution  nomorems | 02/01/07
I can just see it now  mdsmedia | 02/01/07
This is pure FUD  carlhardw | 02/01/07
Carl!  nomorems | 02/01/07
this ?safety gap? would have then each speak recognition software  carlhardw | 02/01/07
Please, Carl!  nomorems | 02/01/07
This just in!!!  techboy_z | 02/01/07
vista - the ultimate media machine  stephenf@... | 02/01/07
Good Investigative Work  FreeStyleWork | 02/01/07
Thanks  georgeou | 02/01/07
You're kidding, right?  Jaykul | 02/01/07
I got it to work  georgeou | 02/01/07
Of course you did  Jaykul | 02/01/07
Yes, less reliable but yes  georgeou | 02/01/07
Just those who use voice recognition  Jaykul | 02/01/07
/golfclap congrats on distorting facts to make Vista look bad  JamesDoyle | 02/01/07
Not necessarily just for the handicapped  Tony Agudo | 02/01/07
If you knew anything about me, you'd know I don't troll MS  georgeou | 02/01/07
Not FUD  deadplant | 02/01/07
Silliest thing I ever read....  blohrer@... | 02/01/07
the point remains - it's exploitable  mdsmedia | 02/01/07
yer bunk  deadplant | 02/01/07
no ticky no laundry  picardo288 | 02/02/07
Another Vulnerability Found!  coffeefueled | 02/02/07
If you don't understand the difference between a website  georgeou | 02/02/07
Possible? Sure. Likely? NOT  bumberfsck | 02/02/07
Just need to be a good clear voice  georgeou | 02/02/07
Radio  charles.harcq@... | 02/03/07
RE: Microsoft confirms Vista Speech Recognition remote execution flaw  Althar if | 10/20/07
RE: Microsoft confirms Vista Speech Recognition remote execution flaw  Althar if | 10/20/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

Top Rated

    advertisement

    Archives

    ZDNet Blogs

    White Papers, Webcasts, and Downloads

    SmartPlanet

    • Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
    • More from IBM
    • Innovate your business' process model, play against the market, compete against others on our scoreboards and WIN! Try INNOV8 2.0: A BPM Simulator
    • Enabling Real-World Business Transformation through IBM Service Management Read the EMA Analyst Report
    Click Here