by Playfuls Staff |
2nd February 2007
Some reports have emerged on the Web that Vista’s speech recognition feature could be used to run malicious code and compromise a PC, but Microsoft denies this possibility.[more]
ZDNet blogger George Ou took to the task of testing the theory on his PC, and he successfully played an audio file loud enough so that Vista responded to the commands.
“I recorded a sound file that would engage speech command on Vista, then engaged the start button, and then I asked for the command prompt. When I played back the sound file with the speakers turned up loud, it actually engaged the speech command system and fired up the start menu. I had to try a few more times to get the audio recording quality high enough to get the exact commands I wanted but the shocking thing is that it worked!”On the other side, a blogger from Microsoft called Adrian, says that in order to be able to do just that, some important technical barriers must be removed.
“While it is technically possible, there are some things that should be considered when trying to determine what the threat of exposure is to your Windows Vista system. In order for the attack to be successful, the targeted system would need to have the speech recognition feature previously activated and configured. Additionally the system would need to have speakers and a microphone installed and turned on. The exploit scenario would involve the speech recognition feature picking up commands through the microphone such as “copy”, “delete”, ”shutdown”, etc. and acting on them. These commands would be coming from an audio file that is being played through the speakers. Of course this would be heard and the actions taken would be visible to the user if they were in front of the PC during the attempted exploitation. It is not possible through the use of voice commands to get the system to perform privileged functions such as creating a user without being prompted by UAC for Administrator credentials. The UAC prompt cannot be manipulated by voice commands by default. There are also additional barriers that would make an attack difficult including speaker and microphone placement, microphone feedback, and the clarity of the dictation.You may ask why this is new to Windows Vista as previous versions of the operating system do not appear affected. Windows Vista’s sophisticated speech recognition allows for easier operation and extended support for commands. This has been largely used to help facilitate computing use especially for users that are affected by dexterity difficulties or impairments. You can learn more about Windows Vista’s accessibility tools including speech recognition by going to http://www.microsoft.com/industry/healthcare/providers/businessvalue/housecalls/accessibletech.mspx. While we are taking the reports seriously and investigating them accordingly I am confident in saying that there is little if any need to worry about the effects of this issue on your new Windows Vista installation.”This wouldn’t be the first time Microsoft is confronted with problems concerning the speech recognition in Vista. At one of its first presentations in public, back in July 2006, the speech recognition software started behaving awry and eventually generated a lot of laughs in the audience.
When Shanen Boettcher, a member of the team that demoed the software, tried to tell the computer to write “Dear mom” the computer’s output became…”Dear aunt”.
Shanen Boettcher tried to stop the scattered ironical smiles in the audience with another command: "Fix aunt." But guess what: the computer didn’t seem to understand or was embarrassed itself with what it had said before since the words "let's set" appeared on the screen.
By the time Boettcher desperately asked the computer to “delete that” the computer was probably deafened by the chuckles and laughs in the meeting room, because it did not post any output on the screen, although Boettcher repeated the command three times.
But the peak of embarrassment was the moment when the team member from Vista told the computer to “select all”, with the computer showing "so double the killer delete select all"…
