A flaw in Vista's speech recognition feature could allow remote attackers to delete files on someone else's PC.
Microsoft said it was investigating reports of a vulnerability that could allow an attacker to run malicious programs on Vista systems using pre-recorded verbal commands.
The potential security hole was discovered after an online discussion prompted blogger George Ou to try out a speech-based hack. Ou reported that he was able to access the Vista Start menu and, conceivably, run programs using voice commands played over the system's speakers. The speech recognition flaw is novel and notable for being the first hole in the new operating system since its consumer on Tuesday.
The impact of the flaw, however, is expected to be small. Vista users would need to have the speech recognition feature enabled and have a microphone and speakers connected to their system. Successful attackers would need to be physically present at the machine, or figure out a way to trick the computer's owner to download and play an audio recording of the malicious commands. Even then, the commands would have to be issued without attracting the attention of the computer's owner.
Finally, attackers’ commands are limited to the access rights of the logged on user, which may prevent access to any administrative commands.
Microsoft recommends that users who are concerned about having their computer "shout-hacked" disable the speaker or microphone, turn off the speech recognition feature, or shut down Windows Media Player if they encounter a file that tries to execute voice commands on their system.