Text only | Text with Images

Clan x86

General Forums => General Discussion => Topic started by: iago on January 31, 2007, 10:02:52 PM

Title: Interesting Vista "Vuln"
Post by: iago on January 31, 2007, 10:02:52 PM
It's more of a mischief thing, but if somebody has "voice recognition" enabled on Vista, you can use spoken commands (like, music played on a website) to run commands on the computer.  Apparently it doesn't have to be terribly loud or clear, either.  You can do anything that doesn't require UAC, for example:
- Install a program (for the current user)
- Delete files, send an email
- Play more audio (for nearby computers? :))
- Encrypt files (probably with an external program)

It's not terribly important, but it's kind of funny.  Ways to fix it:
- Require a unique password
- Prevent feedback (but you could still use other computers)

It was originally posted on the Daily Dave mailing list, though a lot of news sites have picked it up:
http://lists.immunitysec.com/pipermail/dailydave/2007-January/thread.html (near the bottom)

Here's my favorite post:
QuoteI can see it now; all you need is one 0wned host every
few feet and you can bark commands to all the others
within earshot.  First thing you tell them is to join in
the sing-along.  It would make a great movie scene -- with
maybe Richard Clarke looking over his shoulder down a
corridor in the Pentagon and saying "Do you hear that?"
as a crescendo of "halt-and-catch-fire" rises in the
in the distance...

Here's $500 for the first documented case of someone
using the white courtesy phone in an airport to page
Mr Shootdown, Reese Sett, Sleep Now, or whatever and
blanking all the laptops in a concourse.  An extra
$500 if it's DC National...
Title: Re: Interesting Vista "Vuln"
Post by: MyndFyre on January 31, 2007, 10:13:24 PM
Quote from: iago on January 31, 2007, 10:02:52 PM
It's more of a mischief thing, but if somebody has "voice recognition" enabled on Vista, you can use spoken commands (like, music played on a website) to run commands on the computer.  Apparently it doesn't have to be terribly loud or clear, either.  You can do anything that doesn't require UAC, for example:
- Install a program (for the current user)
- Delete files, send an email
- Play more audio (for nearby computers? :))
- Encrypt files (probably with an external program)

It's not terribly important, but it's kind of funny.  Ways to fix it:
- Require a unique password
- Prevent feedback (but you could still use other computers)
I don't really see this as becoming anything remotely resembling anything worthwhile. 

Voice Recognition is opt-in.  It doesn't come as on by default.

UAC is required for programs being installed to \Program Files\.  Which is pretty much all of them.

Since encryption is transparent to the user, whether or not a user's files are encrypted is really irrelevant.

Cute idea, but just more "haha, look at what we can do to fuck up progress" drivel from the anti-Microsoft crowd....
Title: Re: Interesting Vista "Vuln"
Post by: iago on January 31, 2007, 11:06:01 PM
I addressed everything you said. 

It wasn't posted in an anti-microsoft style, more like "I wonder if you can...." type thing. 

By encrypt, I mean the hold-your-stuff-random approach.  For example, download a program which encrypts the user's files then displays a message saying "Send $1 to happy dude!"

But you're right, the #1 problem is that speech recognition isn't on my default.
Title: Re: Interesting Vista "Vuln"
Post by: deadly7 on January 31, 2007, 11:25:25 PM
Quote from: iago on January 31, 2007, 11:06:01 PM
"Send $1 to happy dude!"
I can't believe they're using my machine for this. :(
Text only | Text with Images