Windows Vista Speech Remote Exploit Bug
It's been less than a week since Windows Vista hit the shelves and we're already hearing of problems and new bugs. Today the tech news sites are all getting very excited about the new vulnerability in Vista's Speech Command utility, purely from a "Oooh, a vulnerability ALREADY" perspective, but no one has given a moment's thought for those that this bug poses a major problem.
Microsoft have finally started taking a bit of responsibility and have decided to ship a lot of things with Vista turned OFF by default - Speech Command included. So chances are, most users won't hit this issue. However, those that have enabled this are likely to be hit by this issue when encountering "malicious" sounds embedded on websites, like MySpace. These in turn can be picked up by the microphone and interpreted by the OS.
Microsoft have admitted there is an issue here and recommend customers take the following action to protect themselves from potential exploitation of the reported vulnerability:
- A user can turn off their computer speakers and/or microphone.
- If a user does run an audio file that attempts to execute commands on their system, they should close the Windows Media Player, turn off speech recognition and restart their computer.
Fair enough for your average Joe Schmoe. But what about those people with disabilities - those that use Narrator (text-to-speech utility) in conjunction with the Speech Command utility? These poor people have been eagerly awaiting Windows Vista and it's Speech Command (to go with Narrator that has been around since XP), coughed up their cash, only to find that reading something quite innocent like this post can cause their system to SHUTDOWN or REBOOT as soon as Narrator encounters those two words (that is assuming these are the correct commands).
Microsoft may think this is quite a mundane issue, but I tell you now, for those people with disabilities that have just shelled out a ton of cash to ease their computing lives: this is a major issue.
Well done Microsoft, advertise the functionality, but make it unusable for those that really need it. Bravo!