Reportedly, a flaw has been detected in Microsoft's Vista operating system that could allow remote attackers to take advantage of the speech recognition feature.
Reportedly, a flaw has been detected in Microsoft's Vista operating system that could allow remote attackers to take advantage of the new system's speech recognition feature.
Microsoft said that its researchers are investigating the reports of a vulnerability that could allow an attacker to use the speech recognition feature to run malicious programs on Vista systems using prerecorded verbal commands.
The company also said that the speech recognition flaw is novel and notable for being the first publicized flaw in the new operating system since the public launch of Vista earlier this week.
It is, however, learnt that the impact of the flaw is expected to be small. Vista users would need to have the speech recognition feature enabled and have a microphone and speakers connected to their system.
Successful attackers would need to be physically present at the machine, or figure out a way to trick the computer's owner to download and play an audio recording of the malicious commands. But even then, the commands would somehow have to be issued without attracting the attention of the computer's owner. And finally, attackers' commands are limited to the access rights of the logged-on user, which might prevent access to any administrative commands.
A Microsoft security researcher also pointed out that verbal commands could not be used for privileged functions such as creating a new user or formatting a drive. Besides, there are also additional barriers that would make an attack difficult including speaker and microphone replacement, microphone feedback, and the clarity of the dictation.
Microsoft has also recommended that users who are concerned about having their computer shout-hacked should either disable the speaker or microphone, turn off the speech recognition feature, or shut down Windows Media Player if they encounter a file that tries to execute voice commands on their system.
Meanwhile, customers who believe that they have been shout-hacked can contact Microsoft Product Support Services.