Microsoft Vista Exploit: A Hacker Can Talk it into Destroying Your Files!

Tested and Confirmed by a Microsoft-friendly Columnist, to the Amusement of Geeks Around the World

Tsu Dho Nimh
Tsu Dho Nimh, Yahoo! Contributor Network
Jan 31, 2007 "Share your voice on Yahoo! websites. Start Here."
This exploit is so far into "why didn't they see it coming" terrritory that I splorfed coffee all over my keyboard when my geekish roomate sent me the information. Here's the news: Microsoft provided Vista with the ability to accept voice commands. This lets you tell the computer to open files, save files, delete files and all sorts of useful things. What they did not provide Vista with was the ability to tell which sounds are coming from the speakers and which sounds are coming from your mouth into the microphone. The result? If you play a sound file with Vista commands in it, Vista does what the sounds tell it to do. Even if the commands are to delete all your files and empty the trash to make sure you can't get them back!

"I was shocked that sound playback could actually take the speech system out of sleep state and easily wake it. Websites can easily autoplay an MP3 file that wakes speech, delete your documents and empty the recycle bin. I've actually tested this and it works." George Ou, a normally Microsoft-friendly columnist on ZD Net (http://blogs.zdnet.com/Ou/?p=416), can't quite understand how this happened, but he confirmed that it does work.

Where can this lead? Well, I certainly would not want to have the sound command input running while I surfed the internet. Any website could have an MP3 playing with the commands to do rude and annoying things to my computer. While reading e-mail? I'd hate to pop open an email and have it take over my computer until I could grab for the keyboard.

Here's a scenario from the user "Rafterman" as a comment on George Ou's column, where an innocent third party could bork your system: "Imagine using your speakers while Skyping a friend, and they're running Speech Command too. All that's needed is for them to say is "Delete My Photos"(or something to that extent) while talking to you, and you've instantly lost all your valuable photos. Granted this may sound like a bit of a stretch, but honestly Microsoft should have tested this scenario while developing Speech Command."

The only safe way to have the voice control feature running would be with the speakers turned OFF. And why did I buy the fancy-schmancy expensive computer with the multi-media doo-dads if I'm not going to use them?

Why wasn't this caught by any of the millions of beta testers? Most of them don't think like the bad guys. All they wanted to do was make sure Vista worked with their software, or play with the new shiny toy, or use it for a few hours and write a favorable review and earn their salary. They weren't looking for security holes: that's the software architect's job, that's the programmer's job, that's not the beta tester's job.

Excuse me while I go download the latest Linux distro ... I feel safer with the penguin under the hood.

Published by Tsu Dho Nimh

I'm a long-time technical writer with time to spare. I'm an omnivorous reader, a superb researcher, and a very fast writer. I'm also a good photographer. I'm fascinated by medicine, and annoyed by quack...  View profile

  • Vista can be taken over by a hacker's voice commands.

10 Comments

Post a Comment
  • Lee3/28/2008

    This is stupid. I have vista and i dont use the speech recognition. It's easy, DONT TURN IT ON!
    Stop being scared of Vista,Linux,Mac, ect. If you don't know how to properly use the computer in the first place, than you dont deserve to own one.

  • GtrSoloist6/7/2007

    Wow, this just goes to show that my belief of not migrating to a Microsoft operating system until there is a Service Pack 2 out for it is not only warranted, but justified.

  • Donna Porter3/23/2007

    I'm taking my sis shopping today for a laptop, and this will scare the bejeezus out of her about Vista. Hence, I'll have fulfilled my role beautifully. Yet, with the proliferation of "talking ads" alone, I find this flaw almost mind numbing in its incredulity.

  • Jamie K. Wilson3/21/2007

    Gah. Yet another reason not to get Vista til I have to. I resist every friggin "upgrade" until the last minute; we have computers in the house still running on Win 3.1.

  • Question Everything2/25/2007

    Wow - I already didn't want Windows Vista. Now I have another reason to add to the list. Great article.

  • Spunky The Gamer2/7/2007

    Wicked! I'm glad that I'm not one of those folks who purchases brand new Windows operating systems just because it's Microsoft.

    Great article, and thanks for the warning!

  • Roselyn James2/4/2007

    My daughter was asking me about this the other day. Now I know what to tell her. Thanks!

  • vic_elor2/2/2007

    I remember hearing about the "speech command" issue a while back though I remember a fellow C-S student showing it to me on his mac. Personally, voice command systems that are not tuned to the voice of specific users are just bad ideas. It's funny though because it's the post 90's versus of the age old question "If I hook up a clapper to my television and the TV audiance starts clapping, will my TV turn off?"

  • Lazy Gardens1/31/2007

    Pam - your MAc has the penguin under the hood.

  • Pam Gaulin1/31/2007

    Great article! I will stick with my Mac :-)

Displaying Comments

To comment, please sign in to your Yahoo! account, or sign up for a new account.