Security UPDATE--The Problem with Vista Voice Recognition--February 7, 2007


Free Brief: Personal HP Workstations = Higher ROI?

Hosted Security: A solution for small and medium-size businesses

Warning. PC encryption protection depends on user compliance--and users make poor security guards!



IN FOCUS: The Problem with Vista Voice Recognition


- Is HD DVD and Blu-Ray Security Now Moot?

- Vista DRM Cracked Already?

- Symantec Expands into Endpoint Management Via Acquisition

- Recent Security Vulnerabilities


- Security Matters Blog: Logcheck for Linux

- FAQ: Disable Windows Vista's User Access Control (UAC)

- From the Forum: Which Firewall Do You Use?

- Share Your Security Tips

- Microsoft Learning Paths for Security: Improving the Intelligence of Your Gateway Security


- A Firewall for Your Phone

- Wanted: Your Reviews of Products






Free Brief: Personal HP Workstations = Higher ROI?

Discover why financial services executives get a LOT more out of their IT investments by investing in HP Personal Workstation Technology. Quickly learn how workstations ensure accuracy and security while driving down short and long term operating costs. This quick- read guide is a must read today.

=== IN FOCUS: The Problem with Vista Voice Recognition

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Among Windows Vista's new features is robust voice recognition, which sounds rather innocuous. But as it turns out, that isn't the case.

The voice recognition feature lets you talk to the computer (fortunately, it doesn't talk back!) to issue commands, dictate documents, and so on. Therein resides the first vulnerability discovered since Vista's release to consumers last week. Vista can act on verbal commands, and it doesn't matter where those commands come from--they can even come from your computer's speakers!

In his blog, Sebastian Krahmer wrote: "Yesterday I had the idea to use Vista's speech recognition system for remote exploiting. By embedding commands into a soundfile offered by an evil website or into all these Web 2.0 videos, remote attackers might be able to execute commands on a Vista system while they are spoken upon viewing."

Shortly after Krahmer echoed his idea onto the Dailydave mailing list (at the URL below) George Ou decided to give it a try. He made an audio file with embedded spoken commands and played the file. His Vista computer acted on the commands. Microsoft subsequently confirmed the vulnerability.

The vulnerability leaves plenty of room for intruders to go hog-wild creating all sorts of malicious audio-command files. Fortunately, the voice recognition system isn't enabled by default in new Vista installations. Nevertheless, I have to wonder along with Ou why Microsoft didn't integrate a preliminary security system into the voice recognition system. By not requiring some sort of spoken passphrase, the company left a door wide open in Vista.

In Microsoft's Security Response Center blog, Adrian wrote, "It is not possible through the use of voice commands to get the system to perform privileged functions such as creating a user without being prompted by UAC for Administrator credentials. The UAC prompt cannot be manipulated by voice commands by default."

While that's true, it's still possible to delete files, execute code that doesn't require elevated privileges, and do who knows what other mischief. So, if you must use the voice command system, at least turn off the microphone when you're finished. Hopefully, Microsoft will release a fix for this problem soon. In the meantime, be careful of running audio files with unknown content and of pranksters who might walk by your desk or call you on VoIP and say things like "shut down."

=== SPONSOR: St. Bernard Software


Hosted Security: A solution for small and medium-sized businesses

Is effective security out of reach for your small or medium-sized business? Imagine having a team of IT experts who only focus on security as part of your staff. Download this free must-have white paper today and find out how you can eliminate your company's security risks.



Is HD DVD and Blu-Ray Security Now Moot?

Earlier this month, a person using the alias "muslix64" claimed to have circumvented the protection system in High Definition DVD (HD DVD). That system, called Advanced Access Content System (AACS), is designed to prevent duplication and unauthorized playback of AACS-protected disks. Now muslix64 says he's cracked Blu-Ray security, which also uses AACS.

Vista DRM Cracked Already?

A Romanian-born programmer claims to have developed code that can bypass the Digital Rights Management (DRM) technology in Windows Vista. Writing in his blog, Alex Ionescu said that for over a year, he's been working on a method of getting around Vista's signed driver requirements and that he's recently succeeded.

Symantec Expands into Endpoint Management Via Acquisition

Symantec intends to bolster its offering of endpoint solutions with the acquisition of Altiris. Altiris provides solutions aimed at mobile devices, laptops, desktops, servers, and storage-related devices. The company's solutions help manage and enforce security policies, protect against threats, and repair and service assets.

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

=== SPONSOR: Beachhead


Warning. PC encryption protection depends on user compliance--and users make poor security guards!

Can you trust users to protect critical PC business data? One in 3 users write down their passwords--leaving data at risk, even with encryption-only protection. True PC data protection requires organizational control of your data. Download this free white paper today to find out how to accomplish your PC data security goals without inhibiting employee productivity.




by Mark Joseph Edwards,

Managing and reviewing system logs is vital for security. Here's a tool that helps you get that job done on Linux.

FAQ: Disable Windows Vista's User Access Control (UAC)

by John Savill,

Q: How do I disable Windows Vista's User Access Control (UAC)?

Find the answer at

FROM THE FORUM: Which Firewall Do You Use?

A forum participant is comparing firewalls. He currently uses SmoothWall but wonders if an appliance solution would be better and would like to get some feedback from fellow techies. If he's going to consider another solution, it must interoperate with SmoothWall in order to keep VPNs working between sites. Join the discussion at


Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

MICROSOFT LEARNING PATHS FOR SECURITY: Improving the Intelligence of Your Gateway Security

This month, we take a dive into the technologies that provide mobile and remote workers with easy and flexible secure access from a broad range of devices and locations including kiosks, PCs, and mobile devices.



by Renee Munshi, [email protected]

A Firewall for Your Phone

F-Secure is demonstrating its recently announced F-Secure Mobile Security for smartphones and mobile multimedia computers at the RSA Conference 2007 this week. F-Secure Mobile Security adds firewall software to F-Secure's previously offered mobile-device antivirus software (F-Secure Mobile Anti-Virus). F-Secure Mobile Security is for devices based on S60 3rd Edition and Symbian OS 9, including four Nokia devices: Nokia N71, Nokia E60, Nokia E61, and Nokia E70. For more information, go to

WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate.



For more security-related resources, visit

Black Hat DC, February 26-March 1 in Washington, DC, is the DC version of Black Hat, the world's premier technical event for IT security experts. Featuring 10 hands-on training courses and 30 briefings presentations with lots of new content--the best of Black Hat. Network with 300 delegates and see solutions from 10 major sponsors.

How do you manage security vulnerabilities? If you depend on vulnerability assessments to determine the state of your IT security systems, you can't miss this Web seminar. Special research from Gartner indicates that deeper penetration testing is needed to augment your existing vulnerability management processes. Learn more today!

Do you know the clues and secrets to effective disaster recovery? Lucky mates will win a Weekly Prize of a $25 Best Buy Gift Card or a Grand Prize of a $100 Best Buy Gift Card. Find the buried treasure by uncovering the secrets to Web filtering. Complete this quiz correctly and you could be a winner!

Do you want to create a fast, user-friendly, reliable, secure, and scalable backup strategy for your small-to-midsized business? Download this free white paper today and learn how you can break away from tape and move to disk-based data protection.



Learn the 7 critical email problems to watch for and how to prevent them. Find out how to better manage your email environment, including your disaster recovery, compliance, data storage, security, and wireless devices. Download this free white paper today.



Introducing a Unique Security Resource

Security Pro VIP is an online information center that delivers new articles every week on topics such as perimeter security, authentication, and system patches. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50!

Grab Your Share of the Spotlight!

Nominate yourself or a peer to become IT Pro of the Month. This is your chance to get the recognition you deserve! Winners will receive over $600 in IT resources and be featured in Windows IT Pro. It's easy to enter--we're accepting March nominations now, but only for a limited time! Submit your nomination today:


Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below).

Subscribe to Security UPDATE at

Unsubscribe by clicking

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions --

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.