Windows Vista’s speech recognition feature can be hijacked to delete protected files or folders, the world's largest software maker admitted, however, the company's security team downplayed the speech recognition flaw.
Microsoft's much hyped operating system Vista was launched on January 30. And, merely a day after the software giant acknowledged a flaw that could allow remote attackers to take advantage of the new operating system's speech recognition feature.
Microsoft said though the exploit is "technically possible" but users need not to worry as they will have to activate and configure the speech recognition feature and even switch on the microphone and speakers for a hacker to exploit the flaw. The user can even hear the voice commands made by the hacker while using this feature, and can take immediate action, the company said.
"In order for the attack to be successful, the targeted system would need to have the speech recognition feature previously activated and configured," Adrian Stone, a program manager in Microsoft's Security Response Center (MSRC) wrote in an official blog.
"Additionally the system would need to have speakers and a microphone installed and turned on. The exploit scenario would involve the speech recognition feature picking up commands [from the speaker] through the microphone such as 'copy', 'delete', shutdown', etc. and acting on them," Stone explained.
According to Microsoft, Vista's User Account Control (UAC) feature can't be entrapped by speech commands.
Some Vista users have reportedly tried the exploit and amazingly they were able to delete files and empty the trash can so that the documents were not retrievable.
In an e-mail statement, Microsoft said its researchers are investigating the reports of the flaw that could allow a hacker to use the speech recognition feature to run malicious programs on Vista systems using prerecorded verbal commands.
On the other hand, security services firm Symantec has warned that the flaw is more serious than Microsoft has posed. The company alerted its customers late Wednesday about a blogger on the Daily Dave mailing list, who reported that he was able to engineer a recording that successfully downloaded and executed a file from the Internet and manipulated the file system as well without requiring user interaction.
Vista users can simply disable the speech recognition feature's ability to automatically load to safeguard against its misuse, the security company suggested.
Microsoft also recommends that users who are concerned about having their computer shout-hacked disable the speaker or microphone, turn off the speech recognition feature, or shut down Windows Media Player if they encounter a file that attempts to execute voice commands on their system.
If any Vista user doubts that he or she has been shout-hacked can contact Microsoft Product Support Services, the software company said.