[ISN] The Problem with Vista Voice Recognition

From: InfoSec News (alerts@private)
Date: Wed Feb 07 2007 - 22:35:23 PST

Forwarded from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com> 


Free Brief: Personal HP Workstations = Higher ROI?

Hosted Security: A solution for small and medium-size businesses

Warning. PC encryption protection depends on user compliance--and
users make poor security guards!

=== CONTENTS ===================================================

IN FOCUS: The Problem with Vista Voice Recognition

   - Is HD DVD and Blu-Ray Security Now Moot?
   - Vista DRM Cracked Already?
   - Symantec Expands into Endpoint Management Via Acquisition
   - Recent Security Vulnerabilities

   - Security Matters Blog: Logcheck for Linux
   - FAQ: Disable Windows Vista's User Access Control (UAC)
   - From the Forum: Which Firewall Do You Use?
   - Share Your Security Tips
   - Microsoft Learning Paths for Security: Improving the Intelligence 
     of Your Gateway Security 

   - A Firewall for Your Phone
   - Wanted: Your Reviews of Products 




=== SPONSOR: HP ================================================

Free Brief: Personal HP Workstations = Higher ROI?
   Discover why financial services executives get a LOT more out of 
their IT investments by investing in HP Personal Workstation 
Technology. Quickly learn how workstations ensure accuracy and security 
while driving down short and long term operating costs. This quick- 
read guide is a must read today.

=== IN FOCUS: The Problem with Vista Voice Recognition =========
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Among Windows Vista's new features is robust voice recognition, which 
sounds rather innocuous. But as it turns out, that isn't the case. 

The voice recognition feature lets you talk to the computer 
(fortunately, it doesn't talk back!) to issue commands, dictate 
documents, and so on. Therein resides the first vulnerability 
discovered since Vista's release to consumers last week. Vista can act 
on verbal commands, and it doesn't matter where those commands come 
from--they can even come from your computer's speakers! 

In his blog, Sebastian Krahmer wrote: "Yesterday I had the idea to use 
Vista's speech recognition system for remote exploiting. By embedding 
commands into a soundfile offered by an evil website or into all these 
Web 2.0 videos, remote attackers might be able to execute commands on a 
Vista system while they are spoken upon viewing."

Shortly after Krahmer echoed his idea onto the Dailydave mailing list 
(at the URL below) George Ou decided to give it a try. He made an audio 
file with embedded spoken commands and played the file. His Vista 
computer acted on the commands. Microsoft subsequently confirmed the 

The vulnerability leaves plenty of room for intruders to go hog-wild 
creating all sorts of malicious audio-command files. Fortunately, the 
voice recognition system isn't enabled by default in new Vista 
installations. Nevertheless, I have to wonder along with Ou why 
Microsoft didn't integrate a preliminary security system into the voice 
recognition system. By not requiring some sort of spoken passphrase, 
the company left a door wide open in Vista. 

In Microsoft's Security Response Center blog, Adrian wrote, "It is not 
possible through the use of voice commands to get the system to perform 
privileged functions such as creating a user without being prompted by 
UAC for Administrator credentials. The UAC prompt cannot be manipulated 
by voice commands by default." 

While that's true, it's still possible to delete files, execute code 
that doesn't require elevated privileges, and do who knows what other 
mischief. So, if you must use the voice command system, at least turn 
off the microphone when you're finished. Hopefully, Microsoft will 
release a fix for this problem soon. In the meantime, be careful of 
running audio files with unknown content and of pranksters who might 
walk by your desk or call you on VoIP and say things like "shut down." 

=== SPONSOR: St. Bernard Software ==============================

Hosted Security: A solution for small and medium-sized businesses
   Is effective security out of reach for your small or medium-sized 
business? Imagine having a team of IT experts who only focus on 
security as part of your staff. Download this free must-have white 
paper today and find out how you can eliminate your company's security 

=== SECURITY NEWS AND FEATURES =================================

Is HD DVD and Blu-Ray Security Now Moot?
   Earlier this month, a person using the alias "muslix64" claimed to 
have circumvented the protection system in High Definition DVD (HD 
DVD). That system, called Advanced Access Content System (AACS), is 
designed to prevent duplication and unauthorized playback of AACS-
protected disks. Now muslix64 says he's cracked Blu-Ray security, which 
also uses AACS.

Vista DRM Cracked Already?
   A Romanian-born programmer claims to have developed code that can 
bypass the Digital Rights Management (DRM) technology in Windows Vista. 
Writing in his blog, Alex Ionescu said that for over a year, he's been 
working on a method of getting around Vista's signed driver 
requirements and that he's recently succeeded.

Symantec Expands into Endpoint Management Via Acquisition
   Symantec intends to bolster its offering of endpoint solutions with 
the acquisition of Altiris. Altiris provides solutions aimed at mobile 
devices, laptops, desktops, servers, and storage-related devices. The 
company's solutions help manage and enforce security policies, protect 
against threats, and repair and service assets.

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

=== SPONSOR: Beachhead =========================================

Warning. PC encryption protection depends on user compliance--and users 
make poor security guards!
   Can you trust users to protect critical PC business data? One in 3 
users write down their passwords--leaving data at risk, even with 
encryption-only protection. True PC data protection requires 
organizational control of your data. Download this free white paper 
today to find out how to accomplish your PC data security goals without 
inhibiting employee productivity.

=== GIVE AND TAKE ==============================================

   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=4976C:57B62BBB09A692792718C527C856CB62

Managing and reviewing system logs is vital for security. Here's a tool 
that helps you get that job done on Linux.

FAQ: Disable Windows Vista's User Access Control (UAC)
   by John Savill, http://list.windowsitpro.com/t?ctl=4976A:57B62BBB09A692792718C527C856CB62 

Q: How do I disable Windows Vista's User Access Control (UAC)?

Find the answer at

FROM THE FORUM: Which Firewall Do You Use?
   A forum participant is comparing firewalls. He currently uses 
SmoothWall but wonders if an appliance solution would be better and 
would like to get some feedback from fellow techies. If he's going to 
consider another solution, it must interoperate with SmoothWall in 
order to keep VPNs working between sites. Join the discussion at

   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to r2r@private If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.

Your Gateway Security
   This month, we take a dive into the technologies that provide mobile 
and remote workers with easy and flexible secure access from a broad 
range of devices and locations including kiosks, PCs, and mobile 

=== PRODUCTS ===================================================
   by Renee Munshi, products@private

A Firewall for Your Phone
   F-Secure is demonstrating its recently announced F-Secure Mobile 
Security for smartphones and mobile multimedia computers at the RSA 
Conference 2007 this week. F-Secure Mobile Security adds firewall 
software to F-Secure's previously offered mobile-device antivirus 
software (F-Secure Mobile Anti-Virus). F-Secure Mobile Security is for 
devices based on S60 3rd Edition and Symbian OS 9, including four Nokia 
devices: Nokia N71, Nokia E60, Nokia E61, and Nokia E70. For more 
information, go to

WANTED: your reviews of products you've tested and used in 
production. Send your experiences and ratings of products to 
whatshot@private and get a Best Buy gift certificate.

=== RESOURCES AND EVENTS =======================================
   For more security-related resources, visit

Black Hat DC, February 26-March 1 in Washington, DC, is the DC version 
of Black Hat, the world's premier technical event for IT security 
experts. Featuring 10 hands-on training courses and 30 briefings 
presentations with lots of new content--the best of Black Hat. Network 
with 300 delegates and see solutions from 10 major sponsors.

How do you manage security vulnerabilities? If you depend on 
vulnerability assessments to determine the state of your IT security 
systems, you can't miss this Web seminar. Special research from Gartner 
indicates that deeper penetration testing is needed to augment your 
existing vulnerability management processes. Learn more today! 

Do you know the clues and secrets to effective disaster recovery? Lucky 
mates will win a Weekly Prize of a $25 Best Buy Gift Card or a Grand 
Prize of a $100 Best Buy Gift Card. Find the buried treasure by 
uncovering the secrets to Web filtering. Complete this quiz correctly 
and you could be a winner!  

Do you want to create a fast, user-friendly, reliable, secure, and 
scalable backup strategy for your small-to-midsized business? Download 
this free white paper today and learn how you can break away from tape 
and move to disk-based data protection. 

=== FEATURED WHITE PAPER =======================================

Learn the 7 critical email problems to watch for and how to prevent 
them. Find out how to better manage your email environment, including 
your disaster recovery, compliance, data storage, security, and 
wireless devices. Download this free white paper today. 

=== ANNOUNCEMENTS ==============================================

Introducing a Unique Security Resource 
   Security Pro VIP is an online information center that delivers new 
articles every week on topics such as perimeter security, 
authentication, and system patches. Subscribers also receive tips, 
cautionary advice, direct access to our editors, and a host of other 
benefits! Order now at an exclusive charter rate and save up to $50! 

Grab Your Share of the Spotlight!  
   Nominate yourself or a peer to become IT Pro of the Month. This is 
your chance to get the recognition you deserve! Winners will receive 
over $600 in IT resources and be featured in Windows IT Pro. It's easy 
to enter--we're accepting March nominations now, but only for a limited 
time! Submit your nomination today: 


Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 

Subscribe to Security UPDATE at

Be sure to add Security_UPDATE@private 
to your antispam software's list of allowed senders.

To contact us: 
   About Security UPDATE content -- letters@private
   About technical questions -- http://list.windowsitpro.com/t?ctl=4976F:57B62BBB09A692792718C527C856CB62
   About your product news -- products@private
   About your subscription -- windowsitproupdate@private
   About sponsoring Security UPDATE -- salesopps@private

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Wed Feb 07 2007 - 22:49:40 PST