Could A Podcast Hack Windows Vista?
Feb 2nd, 2007 | By James Lewin | Category: Audio Podcasting, General, StrangeA vulnerability in Microsoft’s recently released operating system appears to let an audio¬†podcast hack Windows Vista. Vista’s speech recognition feature can let attackers run malicious programs using recorded audio commands.
Microsoft has confirmed the vulnerability:
Microsoft’s initial investigation reveals that this vulnerability could allow an attacker to use the speech recognition feature in Windows Vista to verbally execute commands on a user’s computer. The attackers’ commands are limited to the rights of the logged on user. User Account Control prohibits the attacker from executing any administrative level commands.
In order for an attack to be successful, the user would have to have a microphone and speakers connected to their system. In addition, the user would have had to configure the speech recognition feature. The attackers’ audio file would then issue verbal commands via the systems speakers that could potentially be carried out by the speech recognition feature. Based on the initial investigation, Microsoft recommends customers take the following action to protect themselves from potential exploitation of the reported vulnerability:
- A user can turn off their computer speakers and/or microphone.
- If a user does run an audio file that attempts to execute commands on their system, they should close the Windows Media Player, turn off speech recognition and restart their computer.
Microsoft will continue its investigation and will provide additional guidance and mitigation to further help protect customers as necessary. Upon completion of this investigation, Microsoft will take further action to help protect our customers.
The speech recognition flaw¬†could make¬†it possible for a podcast or other audio file to do things like delete a Vista user’s documents and then empty the trash. The risk of this is low, but significant enough that users should avoid enabling speech recognition within Vista.
The flaw is notable for being the first publicized hole in the new operating system since the public launch of Vista on Tuesday.
No. (Not as read) It may also take some effort to balance the speaker output to microphone input without generating an annoying feedback hum. It also depends on the placement of the microphone to where it might be able to clearly pick up the speakers, as opposed to someone wearing a headset for instance.
There is also some information missing from previous reports on this issue. A user can disable Speech Recognition from coming on automatically by going to the speech Recognition options and unchecking “Run Speech Recognition at startup”.
While at that dialog, a user can also disable the default speech profile for the system, and train their own unique profile to reduce the risk that outside voices and noise can be recognized as valid for input instead of their own voice.
who put this press release out? this is so lame. well if your lame enough to have your computer hacked by a podcast, you deserve it. this is like listening to techno with a clapper. Watch out! dance music will hack your electrical devices. (ok well only if you have the clapper on and theres clapping noise. oh yeah also you need electricity) WTF?
Shahram – it would suck to get the clap from a podcast!
It seems extremely remote that any Vista user would get hacked by an audio file – but it’s an interesting possibility.