再谈Issue regarding Windows Vista Speech Recognition (Windows Vista语音识别命令执行漏洞)
2007-02-08 00:49
471 查看
Windows Vista是微软公司开发的最新的操作系统。
Windows Vista内置的语音识别功能存在安全问题,远程攻击者可以利用漏洞在目标用户机器上执行任意命令。
在Vista上起用了语音识别功能及正确配置后,攻击者可以利用音频文件对系统发布类似“copy”, “delete”, ”shutdown”等命令,不过如果用户在电脑前面,也会听到这些命令的发布。不过使用语音命令不能绕过UAC提示来执行类似建立用户等特权功能。
Sebastian Krahmer(漏洞发现者)博客的原文 :
Hey everyone this is Adrian and I am writing to try and clear up some concerns regarding a recently reported vulnerability in the Speech Recognition feature of Windows Vista. An issue has been identified publicly where an attacker could use the speech recognition capability of Windows Vista to cause the system to take undesired actions. While it is technically possible, there are some things that should be considered when trying to determine what the threat of exposure is to your Windows Vista system.
In order for the attack to be successful, the targeted system would need to have the speech recognition feature previously activated and configured. Additionally the system would need to have speakers and a microphone installed and turned on. The exploit scenario would involve the speech recognition feature picking up commands through the microphone such as “copy”, “delete”, ”shutdown”, etc. and acting on them. These commands would be coming from an audio file that is being played through the speakers. Of course this would be heard and the actions taken would be visible to the user if they were in front of the PC during the attempted exploitation. It is not possible through the use of voice commands to get the system to perform privileged functions such as creating a user without being prompted by UAC for Administrator credentials. The UAC prompt cannot be manipulated by voice commands by default. There are also additional barriers that would make an attack difficult including speaker and microphone placement, microphone feedback, and the clarity of the dictation.
You may ask why this is new to Windows Vista as previous versions of the operating system do not appear affected. Windows Vista’s sophisticated speech recognition allows for easier operation and extended support for commands. This has been largely used to help facilitate computing use especially for users that are affected by dexterity difficulties or impairments. You can learn more about Windows Vista’s accessibility tools including speech recognition by going to http://www.microsoft.com/industry/healthcare/providers/businessvalue/housecalls/accessibletech.mspx.
While we are taking the reports seriously and investigating them accordingly I am confident in saying that there is little if any need to worry about the effects of this issue on your new Windows Vista installation.
-Adrian
Windows Vista内置的语音识别功能存在安全问题,远程攻击者可以利用漏洞在目标用户机器上执行任意命令。
在Vista上起用了语音识别功能及正确配置后,攻击者可以利用音频文件对系统发布类似“copy”, “delete”, ”shutdown”等命令,不过如果用户在电脑前面,也会听到这些命令的发布。不过使用语音命令不能绕过UAC提示来执行类似建立用户等特权功能。
Sebastian Krahmer(漏洞发现者)博客的原文 :
Hey everyone this is Adrian and I am writing to try and clear up some concerns regarding a recently reported vulnerability in the Speech Recognition feature of Windows Vista. An issue has been identified publicly where an attacker could use the speech recognition capability of Windows Vista to cause the system to take undesired actions. While it is technically possible, there are some things that should be considered when trying to determine what the threat of exposure is to your Windows Vista system.
In order for the attack to be successful, the targeted system would need to have the speech recognition feature previously activated and configured. Additionally the system would need to have speakers and a microphone installed and turned on. The exploit scenario would involve the speech recognition feature picking up commands through the microphone such as “copy”, “delete”, ”shutdown”, etc. and acting on them. These commands would be coming from an audio file that is being played through the speakers. Of course this would be heard and the actions taken would be visible to the user if they were in front of the PC during the attempted exploitation. It is not possible through the use of voice commands to get the system to perform privileged functions such as creating a user without being prompted by UAC for Administrator credentials. The UAC prompt cannot be manipulated by voice commands by default. There are also additional barriers that would make an attack difficult including speaker and microphone placement, microphone feedback, and the clarity of the dictation.
You may ask why this is new to Windows Vista as previous versions of the operating system do not appear affected. Windows Vista’s sophisticated speech recognition allows for easier operation and extended support for commands. This has been largely used to help facilitate computing use especially for users that are affected by dexterity difficulties or impairments. You can learn more about Windows Vista’s accessibility tools including speech recognition by going to http://www.microsoft.com/industry/healthcare/providers/businessvalue/housecalls/accessibletech.mspx.
While we are taking the reports seriously and investigating them accordingly I am confident in saying that there is little if any need to worry about the effects of this issue on your new Windows Vista installation.
-Adrian
相关文章推荐
- 【windows勒索病毒相关-EternalBlue】Windows系统SMB/RDP远程命令执行漏洞修复方案
- Windows远程命令执行0day漏洞安全预警
- 【漏洞公告】高危:Windows系统 SMB/RDP远程命令执行漏洞
- 语音合成TTS(Text To Speech)和语音识别ASR(Automatic Speech Recognition)
- git on windows 需要执行的命令
- PHP代码审计学习之命令执行漏洞挖掘及防御
- 程序猿(媛)们注意啦!Git、SVN、Mercurial版本控制系统被爆远程命令执行漏洞
- Windows下20个省力的执行命令
- 快客电邮(QuarkMail)远程命令执行漏洞
- Windows任务计划创建计划,定时执行PowerShell命令
- Windows下20个省力的特殊的执行命令
- 【漏洞公告】CVE-2017-8464 :Microsoft Windows LNK 远程代码执行漏洞
- java调用windows/Linux/Unix 命令行执行命令的方法--调用ImageMagick的合并图形的命令
- WebLogic Server WLS组件远程命令执行漏洞入侵挖矿事件
- Windows环境git执行git add命令warning: LF will be replaced by CRLF in readme.txt.
- Windows "运行..." 可执行的命令
- 安装在Linux下的jenkins执行windows下的bat命令
- (C#)Windows Shell 编程系列4 - 上下文菜单(iContextMenu)(二)嵌入菜单和执行命令
- sqlserver 执行 windows 命令
- Windows Bat对上一个命令的执行结果进行判断