Google Blogoscoped


Vista flaw discovered

justinf [PersonRank 10]

Thursday, February 1, 2007
16 years ago5,321 views

"Microsoft has admitted that speech recognition features in Vista could be hijacked so that a PC tells itself to delete files or folders."

Ionut Alex. Chitu [PersonRank 10]

16 years ago #

I didn't use Vista, but I doubt that the OS is permanently in listening mode. It would need too much processing power and it would be pointless if you're not using it. So I suppose you must do something (open an app, click a button) to activate it.

Philipp Lenssen [PersonRank 10]

16 years ago #

> I didn't use Vista, but I doubt that the OS is
> permanently in listening mode.

I didn't reproduce this of course, but ZDNet's George Ou writes:
<<I have verified that I can create a sound file that can wake Vista speech recognition, open Windows Explorer, delete the documents folder, and then empty the trash.>>

Hong Xiaowan [PersonRank 10]

16 years ago #

My old mobile also have this function. Say a name to make a call.
Also IBM have a software to input chinese by voice. And need training process. So another people can not use my computer to input chinese. Also If I sick or tired, or childs so noisy. The computer can not understand me.
Voice recognition is a good thing. Maybe vista become bright enough for without training. If Vista clever enough, it also will know the voice from owner or from the web page. Maybe it is a easy bug that everyone can make.

Spiros D. [PersonRank 0]

16 years ago #

"delete see slash windows slash system sixty four slash run dee el el dot sys"
Yes, I can see the clear potential in this exploit. So basically, every single voice recognition software that somebody might use and has programmed for system maintenance tasks is vulnerable, but its Vistas's fault for providing it out of the box for users.
Shame, I was always under the impression Blogoscoped wasn't on the same Anti-MS train like Slashdot etc. (and no, I am not a Windows user).

John [PersonRank 0]

16 years ago #

What is it when, you talk to your self and then answer, oh right its, crazy.

Jaykul [PersonRank 0]

16 years ago #

Yes, of course ... *I* could create a sound file that would "exploit" any Voice Recognition software to do anything that doesn't require admin approval ... on *MY* computer. Because I spent (too much) time training my computer to actually recognize my voice fairly well.

YOU, however, could not.

And voice recognition is hardly a feature you'll find enabled on many people's computers ... it's still too slow and inaccurate ... plus,

The coup de grace, however, is that anyone who uses speech recognition, couldn't possibly be using speakers that play sounds from web pages out loud enough to affect the speaker, or it would be completely useless ... they'd be taking dictation from looser on myspace ...

Juha-Matti Laurio [PersonRank 10]

16 years ago #

This vulnerability was assigned as so-called BID22359 at Symantec's widely known vulnerability database:

Microsoft's response and its advice are located at
in turn.

Philipp Lenssen [PersonRank 10]

16 years ago #

Jaykul, I agree a couple of parameters need to be met. However, consider this; currently, I have my speakers on, and the microphone is next to the speaker. This is no fictional setup, it just happens that I use the mic for skype and I put it on the table when I don't use it, and I listed to iTunes music some hours ago but I'm not anymore, but the speakers are still on.

Furthermore, I suppose whatever sound file the cracker came up with is *prepared* to be clear-sounding pronounciation using simple commands (e.g. it's not like you're typing a free-style Word letter; it may be enough to execute commands).

Still, I agree it's not the most likely hack to happen. And as soon as a website starts to speak to me I hit Alt+F4... :)

Forum home


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!