The problem is Chrome remembers the permission state for an HTTPS-enabled website. So, a hacker, keeping in mind that fact, could open a pop-under window. Since the code is running in a different instance of the website than is in the foreground, none of Chrome's recording icons display.
When he asked why the fix hadn't been released, he was given a strange answer. The team said that there was still an ongoing discussion within the Standards group, to agree on the correct behavior, and that “Nothing is decided yet.”
When asked to comment by The Verge, a Google spokesperson said,
We’ve re-investigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C standard, and we continue to work on improvements.A video demo of the exploit is embedded.