Security risk management vs. software development

George Ou highlights problems with Vista's speech recognition software and wonders why the issue hasn't been fixed for more than a year. The reason: Risk management.

Here's George's description of what he calls a flaw in Vista's speech recognition--some folks debate whether it's a flaw or not. This item was surfaced a year ago, but Vista SP1 apparently didn't take care of it. George makes his case that the speech recognition vulnerability deserves more attention. He notes:

The test sound file I created managed to wake Vista speech recognition, highlight all the files on my desktop or all my pictures via Windows Explorer, and invoke the shift-delete command which wipes the files without the ability to undelete from the Recycle Bin.  I could also open Internet Explorer and invoke TinyURL addresses which in turn redirect to some other malicious executable.  While the damage is limited to the user space since Vista speech recognition can't get around the UAC prompt (assuming it's on), code execution in the user space is still a serious vulnerability.

George is annoyed that this speech recognition issue wasn't addressed. He argues that Microsoft "missed a lost opportunity" on the security front by letting this voice recognition thing slide.

Viewed through risk management it's understandable why Microsoft didn't address its voice recognition software. Like many things in life something doesn't matter--until it does. What do I mean by that? Microsoft fixed a whopping 551 bugs with Vista SP1. George's speech recognition hole obviously didn't make the cut because it affects relatively few people. If someone exploited the speech recognition issue suddenly it would matter. But that hasn't happened yet.

Risk management dictates that you prioritize something and allocate resources to the biggest security issues. For instance, it's possible that a terrorist could attack New York via carrier pigeons. But the probability is low so the Department of Homeland Security won't be allocating budget for it.

In the case of the speech recognition problem George highlights, Microsoft probably looked at it and noted that few were using it. And if UAC was activated Microsoft had a backstop anyway. George adds that this Vista voice recognition problem could impact disabled folks. That's probably true. But until these folks complain Microsoft isn't going to budge. It's a low priority issue--until something bad happens--when you consider that Microsoft has 551 other bugs to worry about.