Remote Exploit of Vista Speech Control

An anonymous reader writes "George Ou writes in his blog that he found a remote exploit for the new and shiny Vista Speech Control. Specifically, websites playing soundfiles can trigger arbitrary commands. Ou reports that Microsoft confirmed the bug and suggested as workarounds that either 'A user can turn off their computer speakers and/or microphone'; or, 'If a user does run an audio file that attempts to execute commands on their system, they should close the Windows Media Player, turn off speech recognition, and restart their computer.' Well, who didn't see that coming?"

howto for Mac users

[sootman]

to create malicious audio files with OS X (10.3 or later), fire up Terminal and use 'say':
$ echo "format sea slash you" | say -o evil.aiff
This makes your messages with a nice, clear, even voice--wouldn't want a bunch of 'um's and 'ah's borking up your exploit, now would you. :-)
`man say` for more options.

Re:The Real Agenda of this Article?

[99BottlesOfBeerInMyF]

All voice recognition software, no matter what platform, would suffer from this supposed "exploit". So why this article on Vista specifically?

This is untrue. Speech recognition software can be made to filter out anything coming in the mic that matches something going out the speaker channel. More simply, you can simply require all commands be preceded with an arbitrary word (like the computer's name). Call you computer "George" and then issue the command "George, kill dash nine star dot star." As opposed to "kill dash nine star dot star." Since the exploit writer won't know to include "George" their exploit fails almost all the time. This was a feature of MacOS 7, more than a decade ago, as I mentioned elsewhere.

Also, if the voice recognition software is trained for a specific user's voice, the chances of an exploit are reduced.

Depending upon the tolerance, this is entirely possible, but I don't see it as being as important or versatile as the other two methods I listed above. MS should have learned from the example of others.

Re:That's hardly an exploit

[VertigoAce]

The audio mixer in Vista is no longer based on different audio types (MIDI, CD Audio, WAV, etc). Instead, there is a volume slider and mute button for each application that makes sounds. So you can mute IE, AIM (those annoying video ads), and Windows itself, while still playing your music in WinAmp or WMP.

MS Security Response Blog: Adrian responds

[davidwr]

Adrian responded to this on the Microsoft Security Response Blog.

Issue regarding Windows Vista Speech Recognition

Hey everyone this is Adrian and I am writing to try and clear up some concerns regarding a recently reported vulnerability in the Speech Recognition feature of Windows Vista. An issue has been identified publicly where an attacker could use the speech recognition capability of Windows Vista to cause the system to take undesired actions. While it is technically possible, there are some things that should be considered when trying to determine what the threat of exposure is to your Windows Vista system.

He goes on to list reasons why this is not a major issue. The first being that voice commands have to be turned on and configured for this to work.

He ends with

While we are taking the reports seriously and investigating them accordingly I am confident in saying that there is little if any need to worry about the effects of this issue on your new Windows Vista installation.

I think he's right. If this was a serious problem, the MacOS and OS/2 "exploits" mentioned above would've received a lot more press. Still, I expect in a future version, the voice software will be smart enough to ignore the computer's own output.

Personally, I don't like voice commands. They are necessary for users with certain impairments and useful for certain applications such as kiosks, but they are counterproductive in a shared-office environment and just plain weird on my desktop. Even on Star Trek - The Next Generation much of the computer input was via control consoles not voice.