The official corporate security response blog
@MSFTSecResponse
How to Report a Vulnerability to the MSRC
Hey everyone this is Adrian and I am writing to try and clear up some concerns regarding a recently reported vulnerability in the Speech Recognition feature of Windows Vista. An issue has been identified publicly where an attacker could use the speech recognition capability of Windows Vista to cause the system to take undesired actions. While it is technically possible, there are some things that should be considered when trying to determine what the threat of exposure is to your Windows Vista system.
In order for the attack to be successful, the targeted system would need to have the speech recognition feature previously activated and configured. Additionally the system would need to have speakers and a microphone installed and turned on. The exploit scenario would involve the speech recognition feature picking up commands through the microphone such as “copy”, “delete”, ”shutdown”, etc. and acting on them. These commands would be coming from an audio file that is being played through the speakers. Of course this would be heard and the actions taken would be visible to the user if they were in front of the PC during the attempted exploitation. It is not possible through the use of voice commands to get the system to perform privileged functions such as creating a user without being prompted by UAC for Administrator credentials. The UAC prompt cannot be manipulated by voice commands by default. There are also additional barriers that would make an attack difficult including speaker and microphone placement, microphone feedback, and the clarity of the dictation.
You may ask why this is new to Windows Vista as previous versions of the operating system do not appear affected. Windows Vista’s sophisticated speech recognition allows for easier operation and extended support for commands. This has been largely used to help facilitate computing use especially for users that are affected by dexterity difficulties or impairments. You can learn more about Windows Vista’s accessibility tools including speech recognition by going to http://www.microsoft.com/industry/healthcare/providers/businessvalue/housecalls/accessibletech.mspx.
While we are taking the reports seriously and investigating them accordingly I am confident in saying that there is little if any need to worry about the effects of this issue on your new Windows Vista installation.
-Adrian
*This posting is provided "AS IS" with no warranties, and confers no rights.*
Hey everyone this is Alexandra Huft,
I wanted to let people know that we just posted Microsoft Security Advisory (932114). This involves an issue that only affects Microsoft Word 2000. We’ve activated our Software Security Incident Response Process (SSIRP) and have some information we can share from the investigation so far.
We are currently investigating a report of a posting of proof of concept code which could allow an attacker to execute code on a user’s machine in their security context by convincing them to open a specially-crafted Word document.
We are aware of very limited, targeted attacks attempting to use the vulnerability reported.
In the past, we have gotten some question from customers about what we mean when we say we’re aware of “very limited, targeted attacks” in a security advisory. I wanted to remind you that we have a posting where we explain what we mean posted here.
As part of our investigation, we will be working with our MSRA partners to monitor and secure the ecosystem.
I will keep everyone up to date as new or additional information becomes available.
Thanks,
Alexandra
Hello, this is Christopher Budd.
Very quickly, I wanted to let you know that we've just re-released MS07-002 for Excel 2000 only.
The original version released on January 9, 2007 did fully protect against the security issues discussed in the bulletin. However, after release we discovered that the security update did not correctly process the phonetic information that is embedded in files that are created by using Excel in the Korean, Chinese, or Japanese executable mode.
If you're not running Excel 2000, this re-release doesn't apply to you and you don't need to take any action.
If you are running Excel 2000 you should go ahead and deploy the new update. It is being released through all the same distribution channels as the original update. It is also supported by the same detection and deployment tools as the original update.
Thanks.
Christopher
Hello,
This is Christopher Budd. We've gotten some questions from SUS 1.0 customers about yesterday's release that I wanted to take a moment and address.
Due to The last minute changes in the release that we updated you on last Friday, there is a delay in the updates for SUS 1.0 customers. This does not affect WSUS, it was updated yesterday on schedule as part of the release.
At this time, we expect that the updates will be released through SUS 1.0 in the morning (Pacific Time) on Thursday January 11, 2007.
We have more information on our KB article that documents SUS 1.0 updates that's located here: http://support.microsoft.com/KB/894199.
Hello, this is Christopher Budd
I wanted to let you know that as part of our standard monthly bulletin release process we’ve released our security bulletins for January 2007.
· Microsoft Office (MS07-001)
· maximum severity rating of Important
· vulnerabilities could allow an attacker to run code in the context of the logged on user.
· Microsoft Office (MS07-002)
· maximum severity rating of Critical
· Microsoft Office (MS07-003)
· vulnerabilities could allow an attacker to to run code in the context of the logged on user.
· Microsoft Windows (MS07-004)
Finally a reminder that we’ll be doing our regular monthly Security Bulletin webcast on Wednesday, January 10, 2007 11:00 AM Pacific Time (US & Canada).
You can sign up for it here:http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032323262&EventCategory=4&culture=en-US&CountryCode=US
Thanks
Happy New Year everyone.
This is Christopher Budd and it’s the Thursday before the Second Tuesday of January 2007. As we do each month at this time, we’ve posted our Advance Notification for the upcoming security bulletin release.
Next Tuesday, on January 9, 2007 at approximately 10:00 am PT we are slated to release:
We will also be making our regular monthly update to the Microsoft Windows Malicious Software Removal Tool.
Finally, I hope you’ll be able to join us for this months’ security bulletin webcast. It will be on Wednesday, January 10, 2007 at 11:00 am PT. You can register for it here:
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032321611&EventCategory=4&culture=en-US&CountryCode=US
Thanks!
Update:
Hello this is Mike Reavey. I have updated the posting to let you know that we will only be releasing 4 security bulletins. We continue to plan to release the 4 remaining bulletins referenced above.
Mike