Ou's Low-tech Vista Exploit
Inspired by an online discussion where the question was raised, could Microsoft's Windows Vista's new vocal command feature inadvertently respond to a word spoken by an audio file played remotely, perhaps through a Web site, ZDNet blogger George Ou discovered through his own tests that a well-recorded voice command could be played back through the speakers of a Vista-endowed computer, and that the computer would respond as if commanded by its own user.
Ou reported the details on his ZDNet blog on Tuesday. "I recorded a sound file that would engage speech command on Vista, then engaged the start button, and then I asked for the command prompt. When I played back the sound file with the speakers turned up loud, it actually engaged the speech command system and fired up the start menu."
In Vista, speech recognition is a special feature which has to be launched by the user intentionally, though the user can then have that feature fire up automatically. Still, not every Vista system is susceptible to this exploit by default. But that might not stop some wild, low-tech attempt by a Web site to automatically play the sound of a someone very distinctly saying "Shut down!"
Yesterday, Microsoft responded to Ou with a confirmation of the security hole's existence, but noted that any exploit would be limited to users who "have a microphone and speakers connected to their system." The company suggested that users could protect themselves from the exploit by disconnecting their microphone and speakers, or by simply not using speech recognition.
Though the allegation had not been raised by Ou, a member of Microsoft's Security Response team defended his company yesterday, saying a remote voice recognition exploit could not be used to defeat Vista's User Account Control (UAC), the operating system's new safeguard for relegating administrative features to human users who can verify their presence in advance of their being launched.
"It is not possible through the use of voice commands to get the system to perform privileged functions such as creating a user without being prompted by UAC for Administrator credentials," the MSRC team member wrote. "The UAC prompt cannot be manipulated by voice commands by default. There are also additional barriers that would make an attack difficult including speaker and microphone placement, microphone feedback, and the clarity of the dictation."
In response, Ou wrote on his blog, "I never claimed this would bypass UAC and secure desktop nor do I think it needs to, to be able to do some serious damage. The fact that a website can play a moderate level sound file to interact in a way with the desktop by activating an idle speech command system and be able to delete user documents with zero user interaction is serious by any stretch of the imagination."
After well over a year of unprecedented beta testing, with engineers and amateurs alike poring over the possibilities of rootkits evading API queries deep in the recesses of memory, perhaps it's no wonder that obvious exploits such as this one went unnoticed until Vista was finally released.
But Ou's discovery does recall to mind the days of the public investigation after the first space shuttle disaster, when the brilliant physicist and father of quantum chromodynamics, Dr. Richard Feynman, demonstrated to NASA engineers that the rubber O-ring inside the shuttle's solid rocket booster fails to expand to seal gaps in freezing weather, by dropping the O-ring into a Styrofoam cup of ice water and seeing it for himself.