Re: Vista speach recognition

[Sebastian Krahmer <krahmer () suse de>]

On Fri, 2 Feb 2007, George Ou wrote:

Hi,

I think its a quite normal reflex to decrease importance of
such bugs. If its an IE7 instand high-tech remote, you have little
chance to say 'not so important'. if it has some sort of
fun-factor and some laughs, its easier to say 'yes,
but not serious'. At least until you realize that all
your firewalls, IDS and whatnot did not protect you.
On the other hand, I do not really care what the "official"
severity is. Maybe, in 20 years, if all computers are
controlled by expressions, speech and gestures such "exploits"
become common; and this one was the first of this kind.
Lets see how it developes ;-)

thanks for the effort,
Sebastian

> Here's the round up on news coverage on this flaw.
> http://blogs.techrepublic.com.com/Ou/?p=420
> http://blogs.zdnet.com/Ou/?p=420
>
> "The fundamental problem here is that Microsoft "extended" speech to be able
> to control the Operating System and Applications without considering the
> full security implications.  If Microsoft had merely assigned a user-defined
> password with an automatic lockout after a certain amount of idle time, it
> would have made the generic attack impossible but they failed do that.  So
> I'm asking Microsoft to reconsider their stance that "there is little if any
> need to worry" and implement some sort of safety mechanism rather than
> relying on the user to be self vigilant.  It doesn't matter that there
> aren't that many people using this feature; Microsoft should fix it if
> they're going to offer it and market it as a key Vista advantage.  Since
> Microsoft is promoting Voice recognition for healthcare, we should consider
> the safety of patient health records.
>
> At present time, Vista Speech Recognition wakes up to the command "start
> listening".  How hard would it be for Microsoft to make that a
> user-definable phrase or word?  For example: A user would pick "Zelda" as
> the word to wake speech mode while someone else picks "439" as their wake
> word.  How hard would it be for Microsoft to implement a wake timeout so
> that Speech Recognition would sleep after 5 minutes idle?  How hard would it
> be for Microsoft to implement their excellent echo cancellation algorithm in
> Windows Messenger for Speech Recognition?  I don't believe this is too much
> to ask."
>
>
> I want to thank the SANS Institute guys for "getting it".  Coming from them,
> that means something to me.
>
>
> I'm also running a poll at the end asking if Microsoft should patch this
> with a pass phrase and echo cancellation.
>
>
>
> George Ou

-- 
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer () suse de - SuSE Security Team
~

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave