Disagreement over impact of Vista's analog hole

Disagreement over impact of Vista's analog hole

Summary: The fundamental problem here is that Microsoft "extended" speech to be able to control the Operating System and Applications without considering the full security implications. If Microsoft had merely assigned a user-defined password with an automatic lockout after a certain amount of idle time, it would have made the generic attack impossible but they failed do that. So I'm asking Microsoft to reconsider their stance that "there is little if any need to worry" and implement some sort of safety mechanism rather than relying on the user to be self vigilant.

TOPICS: Windows

Since my initial report on the Vista analog hole and getting confirmation of the flaw from Microsoft, Microsoft's MSRC blog downplayed the significance of this exploit and said that there was "there is little if any need to worry about the effects of this issue on your new Windows Vista installation".

The SANS Institute responded:

Fundamentally they acknowledge the problem, they say that they are looking into it and in the meantime give you an excellent pointer to where the issue could cause real harm, i.e. healthcare.

I also have objections to the fact that you can't do anything dangerous with it: downloading and executing a local privilege escalation is still eminently possible, you just need a suitable 0-day local privilege escalation for Vista. Indeed, any way to download and run arbitrary code as a valid user is never good news, this one just happens to be from the "neat trick" pile.

Scott M. Fulton III of BetaNews characterized this best as the "low-tech attack"

After well over a year of unprecedented beta testing, with engineers and amateurs alike poring over the possibilities of rootkits evading API queries deep in the recesses of memory, perhaps it's no wonder that obvious exploits such as this one went unnoticed until Vista was finally released.

InfoWorld Paul Roberts wrote:

Successful attackers would need to be physically present at the machine, or figure out a way to trick the computer's owner to download and play an audio recording of the malicious commands. Even then, the commands would somehow have to be issued without attracting the attention of the computer's owner.

That is not actually correct Paul.  If you've ever been to those annoying MySpace pages or if you've ever seen those annoying popup/pop-under ads that automatically starts blasting music or sounds, you'd know how easy it is to play unwanted sounds on a computer.  People leave their desks all the time with webpages open and webpages can have rotating ads that eventually play sounds.

Finally, attackers’ commands are limited to the access rights of the logged on user, which may prevent access to any administrative commands, Microsoft said in a statement.

As I've mentioned before, this is not a system level attack.  The simulated attack that I pulled off deleted the documents folder and emptied the trash.  Another attack I suggested using TinyURL to simplify a long URL to an EXE payload for download and execution was verified by a security analyst.  That means user-level code can be executed by this "analog hole".  User-level code can easily steal, delete, or encrypt all of your user data for ransom.  Lastly Paul, this is NOT a SHOUTING hack.  The sound levels did not have to be that loud, normal speaker levels worked fine.

The fundamental problem here is that Microsoft "extended" speech to be able to control the Operating System and Applications without considering the full security implications.  If Microsoft had merely assigned a user-defined password with an automatic lockout after a certain amount of idle time, it would have made the generic attack impossible but they failed do that.  So I'm asking Microsoft to reconsider their stance that "there is little if any need to worry" and implement some sort of safety mechanism rather than relying on the user to be self vigilant.  It doesn't matter that there aren't that many people using this feature; Microsoft should fix it if they're going to offer it and market it as a key Vista advantage.  Since Microsoft is promoting Voice recognition for healthcare, we should consider the safety of patient health records.

At present time, Vista Speech Recognition wakes up to the command "start listening".  How hard would it be for Microsoft to make that a user-definable phrase or word?  For example: A user would pick "Zelda" as the word to wake speech mode while someone else picks "439" as their wake word.  How hard would it be for Microsoft to implement a wake timeout so that Speech Recognition would sleep after 5 minutes idle?  How hard would it be for Microsoft to implement their excellent echo cancellation algorithm in Windows Messenger for Speech Recognition?  I don't believe this is too much to ask.

[poll id=15]


Topic: Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • A cute exploit

    But ultimately pretty easy to address. I certainly don't think it's a reason for a Windows user to avoid Vista.

    A bigger problem that can't be addressed by a patch:


    The relevant conclusion:

    [b]Microsoft stopped focusing on end users and now seemingly makes many decisions based on these two things:

    1. Avoiding negative publicity (especially about security and software quality)

    2. Making sure the largest enterprise customers are happy[/b]


    [b]UAC and a few other somewhat invasive security measures are not about protecting customers; they're about protecting Microsoft from negative publicity.[/b]

    This tardsploit would seem to fall into the category of not relevant to their largest enterprise users. They'll patch it mainly because of the embarrassment factor.
    But you no longer matter to MSFT. UAC will annoy you to death so MSFT can claim it's your fault the sploit-o-the-day got installed because, like a monkey trained to push a button on cue, you clicked through the UAC warning because they are so mind-numbingly common. Half the user base wouldn't be able to make sense of them, even if they were more descriptive.

    This exploit overrated? Certainly. MSFT treatment of their users? Inexcusable.
    • You're beating a dead unicorn

      The UAC issue is a non-issue. Period. I'm running Vista Business right now and UAC hasn't bothered me one time as a user.

      As an Admin now, it pops up from time to time, but usually when I'm running something fairly significant.

      Overall, UAC being "invasive" is just FUD. End of story.

      This VR thing is a minor issue because 99% of Windows users won't be running VR in the first place and second, by the time there's a significant target base MS will have solved the issue.

      I think the passphrase/timeout is sufficient, the echo cancellation is nothing but techie overkill, George's idea is silly because of the amount of effort it would take vs the severity of the problem.

      Vista does have some issues, mainly with obsolete/niche hardware drivers (Mine are a badge printer and an old scanner) but over all I'm very pleased with it.

      On a positive note I did discover that the PDF995 PDF print driver from *XP* works just fine in Vista--whodathunkit?

      There's also bit of issue with OCX controls in Access forms that I'm still looking into, but that should be solvable too.

      Vista takes some getting used to, but the more I use it the better I like it.

      I'm not ready to convert wholesale to Vista (shudder) but at least I'll be comfortable buying new Vista systems for the company as our old machines need replacing.
      • Overkill?

        Echo cancellation will only improve the quality of voice recognition as well as security. I don't think it's too much to ask. Microsoft already does a very good job with Windows Messenger so they already have the code and the skill.
        • KISS

          Why not just keep it simple,,real simple, and very little code. If VC is active, kill the speaker output. They could get a bit fancier and kill the speakers but leave earphones on. If the user quites VC, revert to normal. Would this be a big coding job? Doesn't seem like it would.
        • I still think that would be the job of the sound card makers

          They are the ones with the hardware, they should build this feature into the drivers.

          How many PCs have a Mic port not attached to the sound card?

          OK, I rest my case, because I think they cound more handily offer this feature.
          • Yeah...that's the ticket.

            Everytime there's a problem with the Windows software we'll ask the chip people to create some new firm/hardware to cover.
          • Oh yeah...

            It also has to be backwards compatible.
  • You need a 3rd option in your poll George


    Just curious, how many users have an open mic and speakers that are always on. I have way too much noise in my house, so I always use headphones.
    • Actually he needs a 4th choice...

      "Who really cares?"

      The likelihood of this "exploit" EVER being hit is so slim as to make it a laughable.

      C'mon folks...

      ...and how about the gaping hole in any OS when a logged on user walks away from their workstation, with no screensaver password set? How will software developers handle that one?
      • agreed... somewhat

        "The likelihood of this "exploit" EVER being hit is so slim as to make it a laughable."

        While I know it would be impossible for it to ever hit me. I'm sure there are some who it could. It needs to be addressed. But it wouldn't keep me up at night worrying about it either.
    • Both speakers and mic are always on

      And I ain't touching Vista until it's been out there for at least a year :)
  • Wasn't Linux that learned that local exploits become bad

    Gentoo or Debian or both servers were compromised when a local exploit was used to gain access through alternate means. The local exploit was of low priority because it can only be executed on that particular machine by local means, although it can transmit information. Foolishly enough, someone can pull something off and execute it. Users are silly people.

    However, remote exploits, especially when they allow remote code execution, no matter how restrained a user may be. A Trojan can easily be backgrounded for keystroke logging and UAC can be compromised by this. Sandboxing IE is nice, but still requires some assistence.

    The approach to fixing this is similar to trying to prevent analog capture of music. "It won't happen"

    However, you can stop a computer from talking to itself through echo cancellation. I think that perhaps the sound card companies would be the ones to contact about this though.
    • Directional Mics

      That's how you solve this. I'm a bit surprised that people would use Omnis for a task like this. I'd either use headphones and any old mic or a cardioid mic and if speakers were in use. Face it, if you're listening to music, that could cause all kinds of strange things to happen.
  • Let nothing get in the way of Microsoft innovation

    Bill Gates defends these innovations. Respect what he's selling you. You ungrateful
    • 2.0

      A might too strident and not at all funny. Real MS-fans are more likely to downplay the problem than they are to assert Bill's infallibility.
      John L. Ries
      • Sort of like

        The Apple fans with Steve, or the Linux fans with Linus.
        John Zern
        • Apple and Linux fans...

          ...don't usually claim that those pointing out flaws are part of a conspiracy to discredit PIPMS (Poor Innocent Persecuted Microsoft). Good thing George has sterling pro-MS credentials, or every pro-MS poster on this board (including you) would be trying to discredit him.
          John L. Ries
  • Per-application audio -- mute IE

    One workaround to block the IE (or any web browser for that matter) attack vector, is to use Vista's new per-application audio to mute audio from your browser. Though, that won't work so well if the browser can manage to open Media Player...
  • We should learn to accomodate.

    It's time M$ took a real stand for something and did not hint of a retreat. The fact(s) are that M$ is going to do what it's going to do and the users can just continue to buy more equipment and additional "Upgrades" which render them and their "tools" inoperable. M$ has never been in the business of really helping anyone but them$elves. This is - after all is said and done (uselessly) - a business for obscene profit and monopoly.

    Those who dare to disagree with M$ "calling" from themselves as "god(s)" to control everything they can by lying sales pitches and force applied against the real producers of quality products and services must be silenced, and they are - daily - with increasing problems getting their machines to run; after all, we all should know by now that, "if it wasn't for Bill Gates, none of us would have the wonderful machines and neat games we have today - never mind the fact that the things which worked yesterday are planned to be shut down today so we'll be compelled to buy more that does less tomorrow. It's the M$ way, and they are fools to pretend anything else.

    Pat yourselves on the backs, boys; you've managed to screw things up so folks can't even use their new products, ... and all this in le$$ than one week! I should be proud; only in
    America - or some totalitarian country somewhere - can we come to expect to much.

    Don't apologize and don't fix anything. It's ready for a waiting public. They exist only to shell out and praise "the makers". We humbly comply. OOOOOOOOOoooooooooooooooommmmmmmmmmmmmmmm.
    • 6.0

      Rather heavy handed, but the point is well taken. <sarcasm>Customers exist for the sole purpose of making money for shareholders and anyone who says otherwise is a commie.</sarcasm>
      John L. Ries