Vista hole opens door to 'shout hacking'
LATEST NEWS
SUBSCRIBE
Computerworld is New Zealand's only specialised information systems fortnightly. Subscribe now for $100 (23 issues) and save more than 37% off the cover price!
SIGN UP
But the impact of the flaw is expected to be small
By Paul F. Roberts | San Francisco | Monday, 5 February, 2007
The honeymoon ended early for Microsoft's Vista operating system, after word spread last week about a flaw that could allow remote attackers to take advantage of the new operating system's speech recognition feature.
Microsoft researchers are investigating the reports of a vulnerability that could allow an attacker to use the speech recognition feature to run malicious programs on Vista systems using prerecorded verbal commands, the company says.
The potential security hole was discovered after an online discussion prompted blogger George Ou to try out a speech-based hack. Ou reported on ZD Net that he was able to access the Vista Start menu and, conceivably, run programs using voice commands played over the system's speakers.
The speech recognition flaw is novel and notable for being the first publicised hole in the new operating system since the public launch of Vista last Tuesday.
The impact of the flaw, however, is expected to be small. Vista users would need to have the speech recognition feature enabled and have a microphone and speakers connected to their system. Successful attackers would need to be physically present at the machine, or figure out a way to trick the computer's owner to download and play an audio recording of the malicious commands. Even then, the commands would somehow have to be issued without attracting the attention of the computer's owner.
Finally, attackers’ commands are limited to the access rights of the logged on user, which may prevent access to any administrative commands, says Microsoft.
Microsoft recommends that users who are concerned about having their computer shout-hacked disable the speaker or microphone, turn off the speech recognition feature, or shut down Windows Media Player if they encounter a file that tries to execute voice commands on their system.
Customers who believe they have been shout-hacked can contact Microsoft Product Support Services, says the company.
MOST POPULAR
- Facebook CIO is keynote speaker at CIO Summit in June
- Kim Dotcom wants “his money back”
- IT should become the fourth science in schools: Orion Health boss
- “Extraordinary secrecy” in briefing to ICT Minister: Labour
- IRD tells minister the bad news on FIRST - again
- iPhone 5 rumor rollup for the week ending Feb. 2
Social Media @Computerworld NZ
Computerworld NZ has now reached LinkedIn! Join to expand your networks and meet others interested in information systems.
