A little more than a year ago, Sebastian Krahmer posted a question on the Dailydave security mailing list whether Vista’s speech recognition was exploitable or not via malicious sound files that could be hosted on websites. I was the first to answer his call with some initial skepticism but that turned in to astonishment when I ran some tests that confirmed the vulnerability. Stories ran a few months ago before the finalization of Vista Service Pack 1 that SP1 would close this speech recognition vulnerability but I couldn’t get any confirmation or denial from Microsoft after multiple queries. I finally got tired of waiting and decided to test the exploit again with Vista SP1 RTM installed and found that the vulnerability still exists.
The test sound file I created managed to wake Vista speech recognition, highlight all the files on my desktop or all my pictures via Windows Explorer, and invoke the shift-delete command which wipes the files without the ability to undelete from the Recycle Bin. I could also open Internet Explorer and invoke TinyURL addresses which in turn redirect to some other malicious executable. While the damage is limited to the user space since Vista speech recognition can’t get around the UAC prompt (assuming it’s on), code execution in the user space is still a serious vulnerability.
Microsoft, Windows Vista, Service Pack, SP1, Vista SP1, Vulnerability, Exploit, Security, Speech Recognition, Analog, Hole