Microsoft talks down speech recognition bug

Microsoft has admitted that the speech recognition feature in Windows Vista could be used to hijack a PC running the operating system.

The company said in a posting on the Microsoft Security Response Centre blog that an issue has been identified in which an attacker could use the speech recognition capability to cause the system to take "undesired actions".

"While it is technically possible, there are some things that should be considered when trying to determine the threat of exposure to your Windows Vista system," the posting said.

In order for the attack to be successful, Microsoft claimed that the targeted system would need to have the speech recognition feature previously activated and configured.

The system would also need to have speakers and a microphone installed and turned on.

The exploit would involve the speech recognition feature picking up commands through the microphone such as 'copy', 'delete' or 'shutdown'.

The vulnerability relies on commands coming from an audio file being played through the speakers, and the actions taken would be visible to the user if they were in front of the PC during the attempted exploitation.

It is not possible through the use of voice commands to get the system to perform privileged functions, such as creating a user, without being prompted by Microsoft's User Account Control (UAC) for Administrator credentials.

"The UAC prompt cannot be manipulated by voice commands by default," said the blog posting.

"There are also additional barriers that would make an attack difficult, including speaker and microphone placement, microphone feedback and the clarity of the dictation."