The SANS Internet Storm Center posted this article regarding Vista and its speech/voice system. Apparently, an attacker can record Vista voice commands, save it to a file, play it back on a target system, and thereby take control of a Vista computer by means of these voice commands.
Arrigo from SANS summarizes this type of attack:
The best picture in my mind of this attack vector is a large trading
room, in the middle of the night, and one computer shouting out loud
"start listening", "start", "internet explorer", "download <some
ZDNet writer George Ou even describes how a malicious website (or person — think Myspace audio tracks) could abuse this.
We are looking into an OSFirewall protection that would alert the user if someone (or better yet, something) attempts to enable the Voice Recognition system. By using OSFirewall, we can prevent this type of attack from both known and unknown malware.
I don’t expect this type of attack to become real common, despite the fact it requires no real technical skill, but rather, a clear and commanding speaking voice.