by Joseph Weisenthal

Microsoft Vista Takes Orders From Anyone Who Yells At It

from the listen-up dept

As Microsoft pushes Vista out the door, the company has a lot riding on the claim that the new operating system is significantly better than previous versions of Windows, in terms of security. While there have been some scattered reports of flaws, which is always to be expected, many feel that the company has made good progress in securing its system. One new vulnerability comes from the fact that Vista has voice recognition capabilities, and that the user can speak commands to the computer through a microphone. George Ou decided to test the question of whether a website could play an audio file containing spoken commands and commandeer the user's computer. As it turns out, if the speech is clear enough, the computer will respond to commands that come out of its own speakers. The volume didn't even need to be too high. It's still not clear how much of a threat this really is. Many people won't even have this capability activated, and if you stumble onto a website that starts barking orders to your computer, you might realize something odd is going on. But, as with many online threats, an attacker doesn't need a high rate of success for a certain approach to be worthwhile. For Microsoft, it will probably be one of several security issues it will have to deal with down the road.

Reader Comments (rss)

(Flattened / Threaded)

  1. identicon
    Gregg, Jan 31st, 2007 @ 4:52pm

    Hopefully this will get the browsers to treat audio like pop-up ads, and request permission before playing them.

    reply to this | link to this | view in thread ]

  2. identicon
    Greg, Jan 31st, 2007 @ 4:59pm

    That is the most hilarious vulnerability I've seen in quite a while.

    reply to this | link to this | view in thread ]

  3. identicon
    Chronno S. Trigger, Jan 31st, 2007 @ 5:00pm

    Speech recognition

    if it was voice recognition this would not be a problem. you mean the speech recognition. outside of that I have nothing relevant to add

    reply to this | link to this | view in thread ]

  4. identicon
    Anonymous Coward, Jan 31st, 2007 @ 5:01pm

    Didn't this test require him to Record his OWN voice for it to work ?

    When they had someone else voice, Vista didn't do anything.

    Also is this any better then that Dragon software ?

    reply to this | link to this | view in thread ]

  5. identicon
    Bumbling old fool, Jan 31st, 2007 @ 5:01pm


    I think I just invented the next wave of DRM installation. Have the song tell the computer to download it and install it.

    Don't like my drm content? How about a track on a CD taht just lists a whole bunch of websites?

    Nothing like a song singing about how many browser windows can one song open? It can be like a contest amongst artists!

    reply to this | link to this | view in thread ]

  6. identicon
    randum, Jan 31st, 2007 @ 5:06pm

    this is the stupidest news article i have ever seen...

    reply to this | link to this | view in thread ]

  7. identicon
    Jhecht, Jan 31st, 2007 @ 5:06pm

    what in hell

    Who the hell needs voice recognition? I mean ok maybe for people who cannot use their hands and so on i can understand, but that should come as an accessory or something from microsoft if the user requests it to be installed. It shouldn't be automatically installed for everyone. Its just kind of a waste of time, and disk space.

    reply to this | link to this | view in thread ]

  8. identicon
    Pope Ratzo, Jan 31st, 2007 @ 5:20pm


    Can I call home and when my answering machine picks up, tell my computer to shut itself off?

    That's cool. I hope the format command is not in the list of voice-activated ones.

    "Please leave a message after the tone"


    reply to this | link to this | view in thread ]

  9. icon
    slimcat (profile), Jan 31st, 2007 @ 5:38pm

    Vista voice recognition?

    Dear aunt, let's set so double the killer delete select all

    At this point in Vista's ability to recognize voice commands, I don't think I'd be too worried.

    reply to this | link to this | view in thread ]

  10. identicon
    A non-slave IT guy, Jan 31st, 2007 @ 6:02pm

    @what in hell, #7

    Tell you what. You type and I'll dictate into Dragon Naturally Speaking. Let's see who gets more done.

    Speech Recognition is not just for disabled persons, dweeb.

    I agree that the feature should not be installed by default. But if it works well and I did not have to pay something over and above my Windows cost, I'll be happy.

    reply to this | link to this | view in thread ]

  11. identicon
    Stu, Jan 31st, 2007 @ 6:05pm

    My guess is that if their computer said, "Bend over and drop your pants", a large number of people would do it - and they'd remain in that position until the damn thing told them to stand up and get dressed. Then, when their significant other found them in that position, they'd blame Microsoft.

    reply to this | link to this | view in thread ]

  12. identicon
    Cleverboy, Jan 31st, 2007 @ 6:07pm

    Oh come now...

    You don't see how it works? You just send out spam that promises "amazing tips" on how to master your computer's voice recognition. You encourage the user to try each tip as they go. About 5 tips in, its game time! "Minimize all windows! Select Desktop. Select All. Delete. Ok! Open My Computer. C. Select All. Delete. Ok! Parent Directory. C. Properties. Format Drive. Ok!" If the marks is anything like that teacher convictor for not shutting down spyware ads, then Vista users are doomed.

    reply to this | link to this | view in thread ]

  13. identicon
    Brad, Jan 31st, 2007 @ 6:11pm

    @A non-slave IT guy:

    You really think slower than you speak? You must be boring as hell to listen to. Personally, I can't imagine anyone calling themselves an "IT guy" that cant' type faster than they talk. Especially since revisions and changes to text is incredibly fast and easy with a keyboard, especially once you get beyond standard text and into programming (which you MUST do, IT guy).

    Tell you what, YOU dictate into Dragon Naturally Speaking and I'll write a Rails app. We'll see who gets more done.

    And voice command isn't installed OR activated by default. So really, this security "exploit" is less of a threat than dumb users ever will be.

    You can't issue shell commands through it, you can only open and close windows, do very basic tasks. If exploited...inconvenient? Yeah. A "threat"? Hardly. It's not like someone could use it to issue, let alone CREATE malware on a remote system.

    reply to this | link to this | view in thread ]

  14. identicon
    Eric B~, Jan 31st, 2007 @ 6:22pm

    Voice Commands

    I had a Laptop running CoPilot with a GPS antenna sitting on my passenger seat along with the radio turned on. I was standing outside the drivers side of the car stretching during a break from the roadtrip when the radio played some song that cause the CoPilot software to respond, "1,130 miles to Daytona".
    No one in the car but a conversation was in process!

    reply to this | link to this | view in thread ]

  15. identicon
    give the dog a bone, Jan 31st, 2007 @ 7:05pm

    "sit boo boo sit,good dog" woof!

    reply to this | link to this | view in thread ]

  16. identicon
    Richard Bunker, Jan 31st, 2007 @ 7:39pm

    the recursive clapper

    I have always wondered if a TV show with an applause soundtrack could cause "the clapper" to turn off the TV. I think this is a corollary to my earlier curiosity.

    reply to this | link to this | view in thread ]

  17. identicon
    BobHornytoad, Jan 31st, 2007 @ 7:54pm


    Are you crazy?!?!? Censorship will kill us all!

    reply to this | link to this | view in thread ]

  18. identicon
    Anonymous Coward, Jan 31st, 2007 @ 9:14pm


    I normally speak about 3-400 words per minute, if you can type that fast you deserve a medal, but you have no place telling someone else that they aren't an "IT guy" because they can't beat the world record for typing speed.

    reply to this | link to this | view in thread ]

  19. identicon
    Anonymous Coward, Feb 1st, 2007 @ 3:55am

    Re: what in hell

    That is why it is not installed by default of course.

    reply to this | link to this | view in thread ]

  20. icon
    rahrens (profile), Feb 1st, 2007 @ 4:50am

    speech command

    Look, folks, my wife isn't much of a computer person, even if I am a geek. Her favorite saying is that once she can just speak to her computer to tell it what she wants to do, then she'll use if herself and not bug me to download her email.

    I don't think she's alone. I can think of a lot of things I'd like to be able to just speak the commands for without slowing myself down by having to type or use the mouse. Sure, at a certain level of working on the innards of a box you'll need to start typing, but 99% of a user's day could be made much more productive by good speech recognition. (Yeah the guy above is right, there is a world of diff between speech recognition and voice recognition!)

    And I think computers will someday be commanded much more by voice than keyboard. Voice is definitely a biometric, and combined with other biometrics, can be a good security system.

    reply to this | link to this | view in thread ]

  21. identicon
    Wizard Prang, Feb 1st, 2007 @ 6:29am

    Settle down now...

    I can't imagine anyone calling themselves an "IT guy" that cant' type faster than they talk

    Some of the best programmers I know are NOT touch-typists. Perhaps that is because they think more and type less.

    I have been using Voice Recognition on and off since OS2 Warp. The only reason that I don't use it today is that the IT support folks won't let me install it. Since I don't write large amounts of prose, it's not a big deal.

    Also programming is not a task that lends itself to VR as well as, say, creative writing.

    So you're both right. Just because VR is not suitable for your particular application does not mean that it has no use.

    reply to this | link to this | view in thread ]

  22. identicon
    Deverill, Feb 1st, 2007 @ 10:53am

    Other uses

    Something to consider is that this system understands windows commands. I saw a demo (YouTube) where a guy was doing stuff in Flash and instead of wasting screen real estate with a toolbar and having to mouse over to it again and again to change tools he was using the voice commands "pen" "select all" "convert to symbol"... AND the workspace was bigger because he didn't need the toolbar. I thought that was a good use for voice instead of just a replacement memo dictation taker.

    reply to this | link to this | view in thread ]

  23. identicon
    Judy, Feb 1st, 2007 @ 11:06am


    How about using the technology to make tv commercials pipe down?

    reply to this | link to this | view in thread ]

  24. identicon
    |333173|3|_||3, Feb 1st, 2007 @ 4:59pm


    if the technology was integrated with IE well enough, then you could use it to download a file. If this was in the middle of a list of commands, which would have the effect of you trying to mute the computer, then you could get some malware without noticing.

    THe Speech recognition should have a feed from the sound card or if it added up the input to the sound card itself, and subtracted that from the audio-in, then they could reduce interference from music as well, which woul dbe a good thing.

    THe idea of talking into the command prompt might not be a bad one, but I would personnaly like you to have to have to start it with a parameter (typed) to allow voice recognition the only problem would be pronouncing some of the codes. A good API would be nice, so that you can say any menu item name, and it is selected, as well as activating all the inbuilt keyboard shortcuts (so you just say "Help")

    reply to this | link to this | view in thread ]

  25. identicon
    1337fragger, Feb 10th, 2007 @ 1:47pm


    "My Computer"

    LoL, it's like an IWIN button for computer hackarz.

    reply to this | link to this | view in thread ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.