Vista shout hack highlights Mac differences?
Here’s one for the hack files that’s really a hack. I started following the Vista Not-a-Shout Hack news a couple of weeks ago because I wanted to see if Mac OS X was vulnerable to the same thing, since the Mac has had speech recognition for special commands for just about forever.
But the weird thing about this hack is how “unlikely” it is on Windows. Why, the computer would have to have speakers and a microphone installed! And the user would have to manually play the audio! This meme kept popping up as I was reading about the hack:
On Microsoft’s Security Response Center Blog, Adrian writes:
Additionally the system would need to have speakers and a microphone installed and turned on.
Paul F. Roberts on InfoWorld writes that the impact will be small, because:
Vista users would need to have the speech recognition feature enabled and have a microphone and speakers connected to their system.
Paul also doesn’t think that Windows web browsers can play audio:
Successful attackers would need to be physically present at the machine, or figure out a way to trick the computer’s owner to download and play an audio recording of the malicious commands.
Angela Gunn at ComputerWorld tries to write hers in coolspeak and ends up sounding like your grandfather trying to hit on a 12-year-old in MySpace, but offers the same lines inside the calmdown:
But the "shout hacking" vuln sounds less like something that ought to concern a reasonable manager (or user) and more like a one-person game of Twister. Let’s see: If speech recognition is enabled, and if the user has a mike and speakers hooked up, and if you can either get access to the machine or convince the user to play your audio file, and if you can do all this without anyone noticing a sufficiently loud “shout hack” in progress…
We can be certain that Angela does not try to hit on 12-year-olds on MySpace, because if she ever visited MySpace she’d know that modern web browsers actually do play audio without requiring the user to download them first.
Just thinking about the last time I visited MySpace, I’m beginning to think that browsers lacking support for audio is a great feature.
A few things would have to be in line for an attacker to be able to do anything harmful. First, you’d have to have a microphone and speakers connected to your system. Remember, this is a verbal attack. And secondly, you’d also need speech recognition to be configured. The odds of this actually happening are probably very slim…
Scott M. Fulton at BetaNews writes that Microsoft recommends disconnecting their microphone and speakers:
Yesterday, Microsoft responded to Ou with a confirmation of the security hole’s existence, but noted that any exploit would be limited to users who “have a microphone and speakers connected to their system.” The company suggested that users could protect themselves from the exploit by disconnecting their microphone and speakers, or by simply not using speech recognition.
Right, I mean, who needs a microphone or speakers?
Yes, it’s technically true that, for this hack to work, the computer needs a microphone and speakers. It’s just as true that they would need a CPU and a power source. I’m assuming here that Windows computers don’t really come without basic functionality. Are these writers completely out of touch with what comes as a basic part of computer systems nowadays? Or are they just regurgitating Microsoft’s press release?
Another meme is that it’s unlikely because the user would hear it happening as long as they are at their computer. And if they’re not at their computer, why would it be on?
Because it’s not like people will use Vista for listening to iTunes over AppleTV, or use their computer to wake them up in the morning, or set Photoshop or a 3D application to work on a file while they take a shower.
I’d say that during my computer’s active time, I’m only at the computer, at most, 50% of the time. The rest of the time I’m letting POV-Ray render an image, listening to iTunes in another room, or laying in bed listening to iTunes wake me up in the morning. I don’t want to have to rush to my computer to… do what, exactly? Once the command is spoken, how do I stop it?
I understand that journalism today is a lot of copy and paste, but still, I’d expect better of people writing about computers on the very system they’re writing about.
Or are they all using Macs?
- Disagreement over impact of Vista’s analog hole
- “The simulated attack that I pulled off deleted the documents folder and emptied the trash. Another attack I suggested using TinyURL to simplify a long URL to an EXE payload for download and execution was verified by a security analyst. That means user-level code can be executed by this ‘analog hole’. User-level code can easily steal, delete, or encrypt all of your user data for ransom. Lastly Paul, this is NOT a SHOUTING hack. The sound levels did not have to be that loud, normal speaker levels worked fine.”
- Issue regarding Windows Vista Speech Recognition
- “In order for the attack to be successful, the targeted system would need to have the speech recognition feature previously activated and configured. Additionally the system would need to have speakers and a microphone installed and turned on… Of course this would be heard and the actions taken would be visible to the user if they were in front of the PC during the attempted exploitation.”
- Vista hole opens door to ‘shout hacking’
- “Vista users would need to have the speech recognition feature enabled and have a microphone and speakers connected to their system. Successful attackers would need to be physically present at the machine, or figure out a way to trick the computer's owner to download and play an audio recording of the malicious commands.”
- Not much worth shouting about
- “Let's see: If speech recognition is enabled, and if the user has a mike and speakers hooked up, and if you can either get access to the machine or convince the user to play your audio file, and if you can do all this without anyone noticing a sufficiently loud "shout hack" in progress...”
- Microsoft Confirms Vista Speech Recognition Remote Execution Flaw
- “First, you’d have to have a microphone and speakers connected to your system. Remember, this is a verbal attack. And secondly, you’d also need speech recognition to be configured. The odds of this actually happening are probably very slim, but the fact that it could potentially happen means that it’s something that Microsoft needs to address.”
- Reporting from press releases
- Much of what we read in the newspapers is not reporting: it is a rewriting of a press release written for the purpose of being used in place of news reporting.
- Ou’s Low-tech Vista Exploit
- “Yesterday, Microsoft responded to Ou with a confirmation of the security hole’s existence, but noted that any exploit would be limited to users who ‘have a microphone and speakers connected to their system.’”
- POV-Ray
- POV-Ray is a ray-tracing program for Macintosh, Unix, DOS, and Windows. It is very powerful, full-featured, reliable, and free. It also uses a “programmer-style” interface rather than a graphical one. The tutorial that comes with it is well-written, so it’s worth a look .Persistence of Vision is very useful for those of us who like to automate our image creation. It uses a simple scripting language to build up complex 3-dimensional imagery.
- iTunes
- “The best digital jukebox, with the #1 music download store inside.”
Remember: Trump reassures crowd after assassination attempt fails. (read more…)