Microsoft has acknowledged a clever person might be able to remotely exploit the voice recognition features of the new Vista operating system to gain access to a PC, but a company representative downplayed the seriousness of the problem.
The company’s response was posted on the Microsoft Security Response Center (MSRC) blog. MSRC program manager Adrian Stone said he is “confident in saying that there is little if any need to worry about the effects of this issue on your new Windows Vista installation.”
A Lot of ‘Ifs’
Stone was responding to published reports describing ways outsiders could manipulate files — and possibly do more serious damage — to a computer by having the system play audio commands. If the PC was running on Vista, and if the operating system’s new voice recognition system was on, and if both the external speakers and a microphone were active, then the attack might work.
“The exploit scenario would involve the speech recognition feature picking up commands through the microphone such as ‘copy,’ ‘delete,’ ‘shutdown,’ etc., and acting on them,” wrote Stone. “These commands would be coming from an audio file that is being played through the speakers.”
There is one big problem with this type of hack, he pointed out: Somebody in the room would hear it happening.
“Of course this would be heard and the actions taken would be visible to the user if they were in front of the PC during the attempted exploitation,” noted Stone.
The whole thing is a bit silly and overblown, according to Sophos Senior Technology Consultant Graham Cluley.
“It sounds to me like an awful lot of effort for a hacker to go through, which they probably don’t need to do anyway,” Cluley told TechNewsWorld. “Obviously, if this is going to happen it’s a theoretical flaw, but it’s unlikely hackers would use this in the real world. … It’s a fun, interesting thing to demonstrate, perhaps. But is it a real-world threat? I don’t think so.”
Nevertheless, in the MSRC blog, Stone said Microsoft is “taking the reports seriously and investigating them accordingly.”
A Dent in the Image
While the voice recognition trick might not be a major concern, the widespread news about its discovery could negatively impact the rollout of Vista. The last thing Microsoft needed, coming mere days after the new system hit the market, was stories suggesting Vista is prone to hacking.
“Certainly, this kind of thing doesn’t help the Vista adoption,” Rob Enderle, principal analyst at The Enderle Group, told TechNewsWorld. “When you sell on a message of security, having problems like this crop up certainly doesn’t help your message, and it does showcase one of the weaknesses Microsoft has: they don’t really sell the products after they release them.”
Microsoft’s marketing campaigns are focused on product visibility, not benefits, Enderle suggested. “They don’t say too many things that explain what makes this thing different or better and why you should buy it,” he said.
If the company did more benefits-based marketing, it could more easily ward off bad publicity relating to minor bugs in its new products, he said. It’s obvious that there are hordes of people intent on finding flaws in every new Microsoft system, both Enderle and Cluley claimed.
“There are lots of people out there who are looking for problems in Vista right now, for good or for bad, and they’re probably going to publicize it,” Cluley explained. “Some will be more serious than others. … This particular speech recognition one is a storm in a teacup.”
“The thing to remember, of course, is that everything is relative. Vista is more secure, vastly so, than was Windows XP,” added Enderle. “But as long as we have humans touching these things nothing will be 100 percent secure. When you have, literally, thousands of people trying to use creative ways [to find flaws], invariably some folks are going to be successful.”