Windows Vista vulnerable to speech recognition attack

Microsoft Corp. is playing down reports that it is possible for an attacker to use the speech recognition function of its new Windows Vista operating system to execute commands on a personal computer.

The world's largest software maker has been touting stronger security features in the new OS. Consumer versions were launched on Jan. 30.

"While we are taking the reports seriously and investigating them accordingly, I am confident in saying that there is little, if any, need to worry about the effects of this issue on your new Windows Vista installation," Microsoft security response centre researcher Adrian Stone wrote in a post to the group's blog Wednesday.

In order for the attack to work, a potential victim would need to have the speech recognition feature activated, speakers and microphone turned on and be tricked into opening a file that plays audio commands or lured to a specially crafted web page that automatically plays an audio file when it loads.

"Of course, this would be heard and the actions taken would be visible to the user if they were in front of the PC during the attempted exploitation," Stone wrote, noting that it is not possible to use the vulnerability to perform "privileged functions" such as creating a user.

The vulnerability affects computers running Vista and not older versions of Windows, Stone wrote,because the new operating system's speech recognition features were designed to be more extensive and easier to use to help people with impaired or lower dexterity.

Sebastian Krahmer suggested the possibility of the vulnerability on his software blog C Skills, and it was subsequently tested and reported by ZDNet technology writer George Ou on his Real World IT blog.