Windows Vista Voice Recognition Command Execution Vulnerability
Friday 2nd February, 2007 10:22 Comments: 1
I was surprised to see that this even made BBC News. A lot of people are talking about how, for example, an MP3 file of voice instructions could potentially be used to tell the PC to delete documents. I suspect this is because they can't come up with any decent vulnerabilities (except perhaps a DRM bypass one discovered by Alex Ionescu).
In order for the attack to be successful, the targeted system would need to have the speech recognition feature (disabled by default) previously activated and configured. The system would also need to have speakers and a microphone (that can hear the speakers) installed and turned on. The exploit scenario would involve the speech recognition feature picking up commands through the microphone such as "copy", "delete", "shutdown", etc. and acting on them. These commands would be coming from an audio file that is being played through the speakers, such as an MP3 embedded in a web page. Of course this would be heard by the user (unless they were deaf, but then you'd have to wonder why they'd have the speakers on) and the actions taken would be visible to the user if they were in front of the PC during the attempted exploitation. Unless you're silly enough to disable the UAC prompts, it is not possible through the use of voice commands to get the system to perform privileged functions such as creating a user without being prompted by UAC for Administrator credentials. The UAC prompt cannot be manipulated by voice commands by default. There are also additional barriers that would make an attack difficult, such as the clarity of the dictation.
Well it seems that this (fairly well mitigated) feature has now turned up on Security Focus as a vulnerability (Secunia haven't said anything... at least not yet, they currently only have one listed vulnerability - the Client Server Run-Time Subsystem, which is hopefully still a proof of concept). Well it's made me think about reporting another code execution vulnerability that I just thought of:
Windows Vista Keyboard Command Execution Vulnerability
Windows Vista is prone to a command-execution vulnerability because of its built-in keyboard capability.
An attacker can exploit this issue to execute commands on a victim user's computer.
Note: Due to the nature of the vulnerability, victim users will notice exactly what is occurring as it happens.
To exploit this issue, an attacker must entice an unsuspecting user to allow access to their home in order to type on the user's keyboard. Alternately, the attacker may choose to enter the home when no one else is around.
In order for the attack to be successful, the targeted system would need to have the speech recognition feature (disabled by default) previously activated and configured. The system would also need to have speakers and a microphone (that can hear the speakers) installed and turned on. The exploit scenario would involve the speech recognition feature picking up commands through the microphone such as "copy", "delete", "shutdown", etc. and acting on them. These commands would be coming from an audio file that is being played through the speakers, such as an MP3 embedded in a web page. Of course this would be heard by the user (unless they were deaf, but then you'd have to wonder why they'd have the speakers on) and the actions taken would be visible to the user if they were in front of the PC during the attempted exploitation. Unless you're silly enough to disable the UAC prompts, it is not possible through the use of voice commands to get the system to perform privileged functions such as creating a user without being prompted by UAC for Administrator credentials. The UAC prompt cannot be manipulated by voice commands by default. There are also additional barriers that would make an attack difficult, such as the clarity of the dictation.
Well it seems that this (fairly well mitigated) feature has now turned up on Security Focus as a vulnerability (Secunia haven't said anything... at least not yet, they currently only have one listed vulnerability - the Client Server Run-Time Subsystem, which is hopefully still a proof of concept). Well it's made me think about reporting another code execution vulnerability that I just thought of:
Windows Vista Keyboard Command Execution Vulnerability
Windows Vista is prone to a command-execution vulnerability because of its built-in keyboard capability.
An attacker can exploit this issue to execute commands on a victim user's computer.
Note: Due to the nature of the vulnerability, victim users will notice exactly what is occurring as it happens.
To exploit this issue, an attacker must entice an unsuspecting user to allow access to their home in order to type on the user's keyboard. Alternately, the attacker may choose to enter the home when no one else is around.
Robert - Tuesday 6th February, 2007 15:58
Someone mentioned this online, which I must admit I hadn't thought about as a mitigation technique: Vista allows you to mute individual programs, Internet Explorer would be a good example.