OT: Vista's "ultimate" security :)
Bob Rasmussen
ras at anzio.com
Tue Feb 6 07:22:30 PST 2007
On Tue, 6 Feb 2007, Fairlight wrote:
> Wow, it was released less than a week ago and already it hits SANS with the
> first vulnerability...and an amusing one at that:
>
> *****
> 07.6.1 CVE: Not Available
> Platform: Windows
> Title: Windows Vista Voice Recognition Command Execution
> Description: Windows Vista is prone to a command execution
> vulnerability because of its built in voice recognition capability.
> When voice recognition is enabled and when the speakers and microphone
> are on and the volume is adjusted appropriately, voice commands given
> via an audio file may be executed by the operating system. Several
> versions of Windows Vista are affected.
> *****
Thanks for this amusing (and amazing) eye-opener. A couple of minor
points:
1. Although Vista has just been released to retail, it has been available
to developers for many months. In fact, voice recognition has been part of
the TabletPC for years; presumably they have the same vulnerability, as
do Dragon, Via Voice, etc.
2. I believe a software patch could prevent this, while still allowing
voice control. Such patch could operate similar to an anti-feedback check,
by preventing acceptance of audio that was currently being output.
3. Most voice recognition programs have to be trained. It is unlikely that
a random voice command would be understood (although a low success rate
for a virus does not necessarily kill it).
Still, it's interesting.
Regards,
....Bob Rasmussen, President, Rasmussen Software, Inc.
personal e-mail: ras at anzio.com
company e-mail: rsi at anzio.com
voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
fax: (US) 503-624-0760
web: http://www.anzio.com
More information about the Filepro-list
mailing list