Security risk management vs. software development

Security risk management vs. software development

Summary: George Ou highlights problems with Vista's speech recognition software and wonders why the issue hasn't been fixed for more than a year. The reason: Risk management.


George Ou highlights problems with Vista's speech recognition software and wonders why the issue hasn't been fixed for more than a year. The reason: Risk management.

Here's George's description of what he calls a flaw in Vista's speech recognition--some folks debate whether it's a flaw or not. This item was surfaced a year ago, but Vista SP1 apparently didn't take care of it. George makes his case that the speech recognition vulnerability deserves more attention. He notes:

The test sound file I created managed to wake Vista speech recognition, highlight all the files on my desktop or all my pictures via Windows Explorer, and invoke the shift-delete command which wipes the files without the ability to undelete from the Recycle Bin.  I could also open Internet Explorer and invoke TinyURL addresses which in turn redirect to some other malicious executable.  While the damage is limited to the user space since Vista speech recognition can't get around the UAC prompt (assuming it's on), code execution in the user space is still a serious vulnerability.

George is annoyed that this speech recognition issue wasn't addressed. He argues that Microsoft "missed a lost opportunity" on the security front by letting this voice recognition thing slide.

Viewed through risk management it's understandable why Microsoft didn't address its voice recognition software. Like many things in life something doesn't matter--until it does. What do I mean by that? Microsoft fixed a whopping 551 bugs with Vista SP1. George's speech recognition hole obviously didn't make the cut because it affects relatively few people. If someone exploited the speech recognition issue suddenly it would matter. But that hasn't happened yet.

Risk management dictates that you prioritize something and allocate resources to the biggest security issues. For instance, it's possible that a terrorist could attack New York via carrier pigeons. But the probability is low so the Department of Homeland Security won't be allocating budget for it.

In the case of the speech recognition problem George highlights, Microsoft probably looked at it and noted that few were using it. And if UAC was activated Microsoft had a backstop anyway. George adds that this Vista voice recognition problem could impact disabled folks. That's probably true. But until these folks complain Microsoft isn't going to budge. It's a low priority issue--until something bad happens--when you consider that Microsoft has 551 other bugs to worry about.

Topics: Software Development, Emerging Tech, Microsoft, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I guess those few people who do use voice recognition don't count.

    It's like how they refused to fix the XP escalation exploit for more than 2 years and would have waited for 3+ years till XP SP3 of Metasploit hadn't included a ready-made sploit. Their reasoning is that it isn't important since people ran Admin mode anyways and privilege escalation in XP was moot. That sounds logical, until you consider the fact that it makes their position on UAC hypocritical and that it's a slap in the face of people who actually bothered with the trouble of running in user-only mode.

    As a security professional and CISSP, I?m all too familiar with this ?risk management? model and it?s too closely related to ?public relations? and I?m sometimes disgusted by it. I mean you can do all these risk calculations and ask what is the ROI of a fire extinguisher? What was the ROI of implementing a safety container for the fuel tank in the Pinto? They had originally designed it to have it but the bean counters cut it out to save costs figuring the cost of a few dead people and the resulting lawsuits would be cheaper than implementing the safety measure.

    What is the value of a few voiceless disabled people who need this stuff to work and be reliable and secure? I guess they don?t count right?
  • Linux tried and failed on the same measure

    Remember a few years ago when Gentoo and Debian development servers were attacked. They were attacked by using local vulnerabilities. The reason why those vulnerabilities didn't get fixed was because they were considered extremely low priority. I mean who would allow an intruder physical access to the system? After all, how many hacking incidents are from inside the firewall? More than half, I am almost certain.

    The point is, until something happens, we don't take issues seriously. We react rather than put in the ground work to prevent failings. This is the flagship argument of most black hat hackers.
  • Those people are in the minority

    So in other words it's trivial at this point. It's called priorities.
  • No real security professional would deny that this isn't a flaw

    No real security professional would deny that this isn't a flaw. The only thing in dispute is whether the minority of users affected by this flaw are worth consideration.