OT: Vista's "ultimate" security :)

Fairlight fairlite at fairlite.com
Tue Feb 6 06:03:37 PST 2007 

Wow, it was released less than a week ago and already it hits SANS with the
first vulnerability...and an amusing one at that:

*****
07.6.1 CVE: Not Available
Platform: Windows
Title: Windows Vista Voice Recognition Command Execution
Description: Windows Vista is prone to a command execution
vulnerability because of its built in voice recognition capability.
When voice recognition is enabled and when the speakers and microphone
are on and the volume is adjusted appropriately, voice commands given
via an audio file may be executed by the operating system. Several
versions of Windows Vista are affected.
*****

I just gotta say that, while extremely improbable that it would likely be
exploited often or easily, this kind of thing is of a large enough scale
that it should have been thought of during the -years- of security tests
they did.  All the little things they tweaked, and then this big one slips
by unnoticed. :)

Solution:  Disable a major feature of the OS that's possibly a draw for it.
That's about it, too.  They have no patch available, and I don't know how
they could possibly get it fixed reasonably without risking more.  I
know!!!  Make the user have to speak their passwords aloud to proceed!!! :)

To be fair, it does require certain conditions be met to actually abuse it.
My own rig would be a potential victim, however, as I always have the
speakers and mic on.  Details are at:
     http://blogs.technet.com/msrc/archive/2007/01/31/issue-regarding-windows-vista-speech-recognition.aspx

I'm not irate with them or anything, I just find it utterly ironic that
they spent so much attention to fine detail and yet missed a macroscopic
feature entirely.  And it's been under a week since release, hackers the
world over are prying at the thing, and it comes down to something this
simple.  It's easy cannon fodder, and free entertainment in the morning,
here.

Again, though, it illustrates the common and continuing trend that the
potential for an attack is coming more and more from application data--as
is the case for an Office 2000/2004 arbitrary code execution bug for which
they have no patch available.  I -do- find it disturbing that traditionally
and usually the security lists will hold off until the vendor has a patch
ready before reporting an exploit, and very, very consistently the SANS
reports say, "Vendor confirmed, no patches available," for Microsoft
products.

As for any relevance to fP (well, I did flag this OT, but still...), one
can be thankful in -some- ways that fP is not SQL compliant.  Its lack of
SQL features means that it's not subject to traditional SQL injection
attacks.  I guess it's one case where the legacy design works in fP's
favour, and makes it immune to at least a major vector that's part of the
overall larger trend.

I was trying to figure out if there was a way to screw up a key segment
by injecting specific bytes into an IMPORT, as an example, but since
it appears to all be based on offsets, I don't think you can do that.
Thankfully.

mark->
-- 
Fairlight->   ||| "I know when to go out and when to | Fairlight Consulting
  __/\__      ||| stay in...get things done..." --   |
 <__<>__>     ||| Bowie                              | http://www.fairlite.com
    \/        |||                                    | info at fairlite.com

More information about the Filepro-list mailing list