Vista Speech Recognition Security Vulnerability Info

You knew it was coming. Now that Vista has been released I’ve been preparing for an onslaught of info that calls a lot of the security features into question, given the big push towards better security as a marketing angle. I’m sure we’ll see more.

But info I didn’t expect to see surfaced about a potential vulnerability with Vista’s improved voice recognition. Apparently the flaw here is that if everything is configured just so, someone could issue voice commands over your computer (i.e. via Skype) that could potentially be picked up by a microphone and do bad things to your computer.


At the Microsoft Security Response Blog, they’ve acknowledged the issue and laid out just how remote a chance this has of occuring while assuring folks they are looking into it. Here’s a quote:

In order for the attack to be successful, the targeted system would need to have the speech recognition feature previously activated and configured. Additionally the system would need to have speakers and a microphone installed and turned on. The exploit scenario would involve the speech recognition feature picking up commands through the microphone such as “copy”, “delete”, ”shutdown”, etc. and acting on them. These commands would be coming from an audio file that is being played through the speakers.  Of course this would be heard and the actions taken would be visible to the user if they were in front of the PC during the attempted exploitation.  It is not possible through the use of voice commands to get the system to perform privileged functions such as creating a user without being prompted by UAC for Administrator credentials. The UAC prompt cannot be manipulated by voice commands by default.  There are also additional barriers that would make an attack difficult including speaker and microphone placement, microphone feedback, and the clarity of the dictation.