"Those who have given Vista a change do seem to like it..." jcollake, You must be talking about the guys at Maximum PC that wrote the article entitled, "10 Reasons You Don't Need vista Today"? Or maybe the editors at Games for Windows who found that Vista runs DX9 applications 5% slower than XP -even if you have spent a grand upgrading your hardware. Or maybe you are talking about the dozens of hardware vendors whose drivers don't work on Vista's first run? No one is saying Vista will flop in the long run but like every new OS to come from Redmond, this one is going to have some serious growing pains. It's not bias or irrational prejudice to point out the many flaws in Vista today. Most of us will give it its due when it cleans up its act. Until then, we're going to let others slog through the mud and wait for the satisfaction meter to go up several notches.

There is a trend in not only this news site, but many others, to try to put a negative spin on Vista. I don't mean objective reporting about vulnerabilities or problems, but rather an irrational NEED to demonstrate that Vista is 'so terrible'. In fact, those who GIVE VISTA A CHANCE will realize that if nothing else its a great and much needed improvement to the Windows line. If there were articles written for each of the many new features Vista offers, as there are for even the most minor inconvienences, maybe public opinion would be different.

Those who have given Vista a chance do seem to like it. That says it all.

I think its highly unlikely this would really work in a real world environment. If the speakers were loud enough or close enough to your microphone to give it a clear command, you'd likely get feedback.

In my personal experience the Betas and RCs protected against this exploit by NOT FUNCTIONING PROPERLY. I could never get speech recognition turned on, it always insisted I didn't have a sound device, playing its little error sound effect when it did so.

Hopefully final will work better when I install it this weekend. My headset has always been very good at not picking up the headphone sound.

Oh wow. Vista, so secure that someone can just delete all your files with a vocal MP3.

it'd be funny if during presentations, I'm here speaking "Our system is designed not to SHUT DOWN" and pffttt the presentation PC shuts itself down.

id lol right to the floor..

It would make a good macro though... just record some commands, and play the mp3 file whenever you want to do stuff as a macro!!

"The company suggested that users could protect themselves from the exploit by disconnecting their microphone and speakers, or by simply not using speech recognition."

I can do one better: Users can protect themselves from Windows Vista Exploits by not running Windows Vista...

I second that emotion.

Nice. Vista hacks itself!

hahaha... Get ready for a long ride...

here is an easy way to make the exploit work as well...

Create a "fix your vista" page...

on the page have lots of photos of vista saying here is how to make vista run better...

put sound files on page...

email the world...

exploit works... people will open the email.... what about sending a flash file with audio, or a powerpoint in email... would these work...

what? thats it? blah no words for this. no one uses speech rec, and even if they wouldnt be dumb enough to enable it to do commands on the pc ... how hard is it to point and click?

Without hands? Pretty damn hard.

i don't know, i can see it being handy for those loneley saturday nights, surfing for paris hilton pics. *WINK*

Who's planning on using speach commands anyways? Even if I did do they plan on hacking through my firewall and drop a wav file so it can play and hope that my speakers and mic are plugged in?

how about people who have a disability, like they can't use their arms to type a keyboard? That answer your question??

...do they plan on hacking through my firewall and drop a wav file...
So, you never encounter web pages that have sounds embedded?

(And yeah, speech recognition is practically a gift from god to people with physical disabilities.)

Wow. This has to be the lamest "exploit" I have ever seen.

I know one person who uses speech-rec. And *only* when dictating medical reports for work-comp. claims.

I seriously hope they don't spend too much time trying to patch this. What a waste...

I know one person who uses speech-rec. And *only* when dictating medical reports...
Is it just me, or does anyone else find that scary? I suppose it could be worse...it could be the doctor dictating a diagnosis.

Yeah, amazingly, most of them start with,

"Dear aunt, let's set so double the killer delete select all."

*grins*

Sounds like the modern age of Ferris Beuler is upon us!

That is actually ingenius! MS should mute the speakers automatically while a command is recorded, BY DEFAULT, but allow the option to RECORD WHILE PLAYING MUSIC for ppl with headphones (who are safe from this exploit).

Even though MS tried to downplay this, they WILL release a fix for it in the next few months, just because someone out there WILL exploit it to delete user data "for fun".

Seriously? That desperate to claim that Vista is insecure?

You mean to tell me that if the Voice Recognition feature recognizes your voice, it does the action it is assigned to do? OMG!1! what 1337 h@x0rz figured that one out?

aw come on, where's the dreaded
Win32/Vista.magnum.o.ring.love.backflipped.orafice.dental.massage.exploit

Then I'll be impressed :p

That's not even vaguely an exploit.
It isn't news, it shouldn't have gotten an article here.

Well, I'm seeing a lot of viewpoints that echo what Paul Skinner is saying here: essentially, that because the exploit is so low-tech, it didn't really deserve mention.

Folks, are you interested in exploits because you think they're cool or because you're concerned about the vulnerability of the operating system? I've said this at security conferences before: Computing is perhaps the one industry I know where there's an entire subculture devoted to the practice of undermining its integrity; I don't see automotive technicians or plumbers creating a kind of mystic ambiance around the art of destroying cars or sinks. And if this were the automotive industry rather than computing, why would it be more intriguing to devise clever and subtle ways to subvert the running capacity of one's car when all four tires are obviously flat? It's like finding new ways to poke holes in Swiss cheese.

What George Ou did, in my opinion, was cleverly but plainly reveal a problem that should have been in front of our faces for the last year. Lest we forget, this is BetaNews; why didn't some of us beta testers (myself included) see this one? Instead, we're sloughing this off because it doesn't register on our cool-O-meters. Folks, we're the ones with eggs on our faces; nobody who signs our paychecks is going to give a tinker's damn about how cool or how lame we think an exploit is if the big freakin' obvious one gets completely overlooked. And whether it only affects .001% of the installed base won't matter; if we can't fix a leaky pipe because the pipe fell off the building, nobody's going to pay us to plumb their offices.

This does not only affect those of us who can't use a mouse. This affects those of us who can't use our heads.

Scott "Myself Included" Fulton III

What Scott said. If the system can be made to do something that the user did not intend, it's at the very least a bug, and quite possibly an exploit. In any case, it's definitely a screw-up. All Ou was saying was "fix it."

An exploit doesn't have to be a Rube Goldberg machine to be a valid problem.

Okay, so I see your point, but I think you're leaving something out here. You give us two options, are we interested in security, or the "cool" factor.

In reality, I feel I can pretty safely say that what we care about is what could possibly affect us. Cool, or not, secure, or not.

This completely misses that target. It will very likely affect no-one here, much less anyone we know (take that as far down the 6-degrees as you want).

Look at it statistically. If it affects .001% of users, it's statistically non-existent. I'm not saying there shouldn't be an MS KB on the issue in case it does happen to some poor SOB someday, but on Betanews?

No, I don't think it deserves this much attention, but then again, here I am posting about it.

It's not BetaNews's job to find holes. You're not a security company (last I checked.). Don't be too hard on yourselves for missing this.

This does not only affect those of us who can't use a mouse. This affects those of us who can't use our heads.

Statistically, it won't even affect either.

If the system can be made to do something that the user did not intend, it's at the very least a bug, and quite possibly an exploit.
That is a bit severe of a definition. After all, an inept user can cause a computer to do exactly what it is supposed to do, without intending for the computer to actually do what they told it, simply by not really understanding what it was they were telling the computer to do.

When creating a combination of software and hardware that even nears the intelligence of a dim human being is still a future prospect, it amazes me how much more people expect of computers than they do of each other.

We're talking about a mechanism in Vista that allows a malicious website (or rotation flash ad) to play a destruct sequence. I've already proven with a recording that can:
1. Open explorer.
2. Highlight documents folder.
3. Delete it
4. Flush the recycle bin.

I can also:
1. Open IE7
2. Input a TinyURL that redirects to an EXE
3. Open it and then run the EXE

At this point the EXE can do anything to the userspace without triggering UAC protection. That means the EXE can encrypt all your data and leave a ransom note in notepad on your desktop.

So what is the problem?
1. Vista Speech Recognition can be turned on from sleep state by playing back "start listening". Apple implemented a user-defined word 15 years ago in their speech command system for security.
2. Vista Speech Recognition does not implement feedback filtering which allows it to process sounds that came from the PC itself.

Now tell me if you still think this isn't an exploit and if you think Microsoft doesn't need to implement these fixes.

I hope you're not responding specifically to me, because no where have I stated I thought it was not an exploitable weakness. I had a feeling already that the scenario you just mentioned would be possible. So, is Vista Speech Recognition activated or in some form of sleep state by default? Doesn't the user have to actually turn it on for it to be "sleeping" in the first place? A user defined word would be nice, and I would've expected there would be some form of feedback filtering built in. Just curious, is Vista's voice recognition good enough to recognize a stranger's voice or were you doing this on a computer "trained" for your voice?

You said:
"That is a bit severe of a definition. After all, an inept user can cause a computer to do exactly what it is supposed to do, without intending for the computer to actually do what they told it, simply by not really understanding what it was they were telling the computer to do."

No, the computer is NOT doing what YOU told it to do; the computer is doing what some hacker is telling it to do from a webpage. There's a BIG difference there and there are two things Microsoft forgot to implement which is feedback cancellation and user-defined secret to activate Voice.

The first time you load Vista Speech Recognition it will set itself to auto load with Vista. When it loads, it's in sleep mode but that doesn't help since the phrase "start listening" will wake it up regardless of the source. Heck if the TV or Radio or some truck blasting loud speakers down the street said it then it would get picked up.

The problem here is that Microsoft "extended" speech to be able to control the Operating System and Applications without considering the full implications. If they merely assigned a user-defined password it would make the generic attack impossible but they didn't do that.

it's true

What I said was in response to another post which seemed to be making a more general statement about software in general. In this case, the computer ends up doing something neither intended nor forseen by its design; and that I do consider a bug/exploit.