“Microsoft has admitted that speech recognition features in Vista could be hijacked so that a PC tells itself to delete files or folders. Vista can respond to vocal commands and concern has been raised about malicious audio on websites or sent via e-mail,” BBC News reports.
The Beeb reports, “In one scenario outlined by users a MP3 file of voice instructions was used to tell the PC to delete documents.”
“Microsoft said the exploit was ‘technically possible’ but there was no need to worry,” The Beeb reports.
The Beeb reports, “Some Vista users have already tested the exploit and were able to delete files and empty the trash can so that the documents were not retrievable. Microsoft has said that even if the machine was primed to accept voice commands it would be unlikely the user would not be in the room to hear the file with malicious instructions being played.”
Full article here.
Microsoft Vista Speech Demo:
MacDailyNews Note: Apple Macs have long had such speech recognition features, since well before Mac OS X debuted. Apple’s Speech Recognition method by default listens only if user-assignable key is pressed on the keyboard or if a specific user-assignable keyword is spoken before each command. An option does exist to allow Mac OS X to listen continuously with the keyword as “optional before commands.”
Apple recommends in their Mac OS X Security Configuration For Version 10.4 or Later document (a document we highly recommend that all Mac OS X Tiger users read): Mac OS X includes speech recognition and text to speech features, which are disabled by default. You should only enable these features if you’re working in a secure environment where no one else can hear you speak to the computer, or hear the computer speak to you. Also make sure there are no audio recording devices that can record your communication with the computer.
To securely configure Mac OS X Tiger’s Speech preferences:
1. Open Speech preferences.
2. Click the Speech Recognition pane, and set Speakable Items On or Off. Change the settings according to your environment.
3. Click the Text to Speech pane, and change the settings according to your environment.
Apple’s advice on Securing Universal Access Preferences:
Universal Access preferences are disabled by default. If you don’t use an assistive device, there are no security-related issues. However, if you do use an assistive device, follow these guidelines:
• See the device manual for prevention of possible security risks.
• Enabling VoiceOver configures the computer to read the contents under the cursor out loud, which might inadvertently disclose confidential data.
• These devices allow access to the computer that could reveal information in an compromising manner.
More about Apple’s Mac OS X Speech feature here.
More about Apple’s Mac OS X VoiceOver feature here.
See VoiceOver in action via QuickTime movie here.
[UPDATED: 5:35pm EST: Added Microsoft Vista Speech Demo video.]
Related article:
Microsoft Windows Vista demo goes bad – July 29, 2006
What a great exploit. The whole idea of a web site talking to your computer and telling it to delete files and folders is a hoot–unless it happened to me, of course
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
MDN: Thank you for the PSA on making sure this doesn’t happen on our Macs. It is nice that Apple “pre-thinks” (or just plain thinks) through these issues for us and provides sevreal options for security.
I wonder if Vista can tell itself not to suck. Now that would be impressive!
The typical, and expected, arrogance of Microsoft demonstrated yet again:
“Microsoft has said that even if the machine was primed to accept voice commands it would be unlikely the user would not be in the room to hear the file with malicious instructions being played.”
WTF.
What a feat! They must’ve made hundreds of recordings before coming up with the phrase that Vista could parse properly. Getting Vista to do something stupid, on the other hand, must have been a cinch.
Microsoft: Your insecurity. Our passion.
God, I wish I could write the code to get a virus/MP3 file to infect a PC and shout “Developers, Developers, Developers…” as it emptys someones on-line bank account…
…Oh, hold on – Bullmer and M$ does that anyway!
I want voice log in brought back!
I really want to use “Soylent Green is people” as a log in
I wonder if Vista can tell the computer to go FSCK itself?
More like:
Microsoft: You’re vulnerability. Our profit.
My XP box at work is on a timer to implement a screen saver in 15 minutes if there is no activity, and it can’t be turned off by a user. If I leave my office, there is up to 15 minutes that my box is “unprotected”. How would Bill explain that?
“Microsoft has said that even if the machine was primed to accept voice commands it would be unlikely the user would not be in the room to hear the file with malicious instructions being played.”
Right, but by then it would be too late, right? So really, you’d just get to listen in horror as all your files are wiped out.
“Microsoft has said that even if the machine was primed to accept voice commands it would be unlikely the user would not be in the room to hear the file with malicious instructions being played.”
I think the key point here is if a user visited a website with audio and this audio said, “delete all files”, the user would ‘expect’ that Vista wouldn’t be stupid to actually DO IT.
It obviously is.
It’s similar to the ‘it’s a feature, not a bug’, aspect of Front Page, where you could, through an open-save dialog box, delete your entire HD, without the OS prompting the user if they really wanted to do that.
Again, Microsoft’s assertion was that the user woukd intervene.
Typical of Microsoft – a feature is created, it’s tested by geeks and only geeks who think it’s great, and then real users get to use it, and see all the shortcomings.
When was the Final Version released of vista. I think it was 2 days ago. The first exploit appeared LOL. Now thats total of 6 exploits in vista for last 2 months i think. Where is the so so called Security. That they said that its more secure then previous versions of windows. Also the Windows Defender Sucks badly that suppose to remove spyware. Windows users should use Ad-Aware program at detecting spyware. Windows Vista is still prone to Malware Crap. The hackers have Succeeded at making Malmare for vista and viruses. Bye
It looks like that if you have a Mac configured the same way – voice recognition on, speakers, microphones enabled – that you would have the same problem.. Just because Apple warns this can happen doesn’t prevent it form happening. I agree, the Mac is inherently secure, but it appears the Mac is just as vulnerable here.
“What about macs”
No, by default you have to hold down a key for Mac’s voice recognition to work.
Pull the string and the PC says, “I’m total crap. Please sell me on eBay right now and then buy a Mac.”
Your agony. Our entertainment.
“My XP box at work is on a timer to implement a screen saver in 15 minutes if there is no activity, and it can’t be turned off by a user. If I leave my office, there is up to 15 minutes that my box is “unprotected”. How would Bill explain that?”
You dont have to wait for the screensaver in XP. You can lock out by clicking Start+L on keyboard. It will lock the computer screen. In Tiger you can do this by enabling fast switch user feature under accounts under system preferences. Then click logout under your name near a spotlight. Which will lock your screen too. If you log out normally it will end your session under apple icon. Bye
Vista User: “Please pull up my financial records.”
Vista: “I’m sorry, Dave. I can’t let you do that. How about a game of chess instead?”
Your personal records. Our prerogative.
I wonder if U.S. Homeland Security has upgraded to Vista? I feel safer already.
Microsoft said the exploit was “technically possible” but there was no need to worry.
The fact that Microsoft extends the ability of delete files on your PC to anyone with malicious intent and considers this a minor issue is the height of arrogance and complacency. The fact that Microsoft has the audacity to dismiss this as a minor security issue is unforgivable. Go ahead, buy Vista then spend the rest of your natural life in a perpetual state of anxiety punctuated with frustration, anger, and regret. What about the possibility of someone remotely adding or modifying files without the users knowledge or consent? This news only begs the question, “What other security flaws has Microsoft built into Vista that are yet unknown or unreported?”
Proof of concept, baby! One more notch in the old virus coffin.
Yeah, and tells it’s user to go @#&% themselves after the files are delted!
Microshaft gives users the “shaft” again.
” . . . then spend the rest of your natural life in a perpetual state of anxiety punctuated with frustration, anger, and regret.”
Microsoft has their own word for that.
They call it “WOW!”