OT: Vista's "ultimate" security :)

Bob Rasmussen ras at anzio.com
Tue Feb 6 07:22:30 PST 2007


On Tue, 6 Feb 2007, Fairlight wrote:

> Wow, it was released less than a week ago and already it hits SANS with the
> first vulnerability...and an amusing one at that:
> 
> *****
> 07.6.1 CVE: Not Available
> Platform: Windows
> Title: Windows Vista Voice Recognition Command Execution
> Description: Windows Vista is prone to a command execution
> vulnerability because of its built in voice recognition capability.
> When voice recognition is enabled and when the speakers and microphone
> are on and the volume is adjusted appropriately, voice commands given
> via an audio file may be executed by the operating system. Several
> versions of Windows Vista are affected.
> *****

Thanks for this amusing (and amazing) eye-opener. A couple of minor 
points:

1. Although Vista has just been released to retail, it has been available 
to developers for many months. In fact, voice recognition has been part of 
the TabletPC for years; presumably they have the same vulnerability, as 
do Dragon, Via Voice, etc.

2. I believe a software patch could prevent this, while still allowing 
voice control. Such patch could operate similar to an anti-feedback check, 
by preventing acceptance of audio that was currently being output.

3. Most voice recognition programs have to be trained. It is unlikely that 
a random voice command would be understood (although a low success rate 
for a virus does not necessarily kill it).

Still, it's interesting.

Regards,
....Bob Rasmussen,   President,   Rasmussen Software, Inc.

personal e-mail: ras at anzio.com
 company e-mail: rsi at anzio.com
          voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
            fax: (US) 503-624-0760
            web: http://www.anzio.com


More information about the Filepro-list mailing list