I have had a lot of people ask me the past couple of weeks if they should upgrade to Windows Vista. My answer has been the same – wait. Microsoft did have a rather vigorous beta testing period for their new operating system, but the problem lies in who the beta testers are. Average Joe is not going to offer to beta test an operating system when he needs to pay someone just to upgrade his computer. On that same note, average Joe is less likely to follow the safe computing practices that someone more inclined to jump in a beta testing program. Now we are seeing the ramifications of this practice with Vista’s first apparent security flaw:
This pretty much confirms what I’ve been saying all along and I had recommended that Vista users do not leave their Speech Recognition feature unattended. However, good security defenses should never rely on user action to prevent exploits. It is my belief that Microsoft should filter out sounds coming from the computer which makes its way back in to the system via Microphone before it gets processed by the Speech Recognition engine as the long term solution. A short term solution is for Microsoft to implement keywords like Apple which allows a user to select a unique word to say to unlock a speech recognition engine. At this point in time, Microsoft will not commit to a patch and are still investigating the issue.
I’ve also done some further experimentation that this exploit can be very nasty even if it can’t execute with administrative privileges or bypass UAC. I have verified that I can create a sound file that can wake Vista speech recognition, open Windows Explorer, delete the documents folder, and then empty the trash. Then we have to consider the fact that people do leave many webpages open over night and some of those may have rotating flash ads that can play sounds. If that’s not a serious exploit, I don’t know what is. One can always rebuild system files by reinstalling the Operating System, data files can’t be recovered since the vast majority of people don’t backup.
Considering the amount of people out there who get their jolly’s by messing someone’s computer up (even if they don’t know for sure it worked), it is best to disable the voice recognition on your system. It will just be a matter of time before you see Flash ad’s that try this or someone decides to send an email with a song attached that holds the magic words. Over all, just disable the voice recognition – that is your best defense.