This thread is now dead. It's terrible publicity for Microsoft, since it's the exact thing they don't want to say. "Our uninspired OS has vulnerabilities the OS X people already fixed". Essentially it overrides the Microsoft marketing message since there's nothing tangible about Vista Ultimate to sell. "Search", "Voice", "Security" are the "three killer features", but as John Stewart said when he interviewed Bill Gates "Is this just about how we interact with computers or do they DO anything new?" People in America like to name things as the opposite of what they are. "The Patriot Act", "The War on Terror", "Vista Ultimate", "Digital Rights Management" etc. Vista isn't the last OS you're ever going to buy, so why name it like it is? That was a rhetorical question, for all the non-exploit-writing people out there who feel the need to say something on a mailing list to get their name in their own inbox. The point is the name makes it sound really cool, but anyone who's used it is like "eh?". It's better than XP, but Ubuntu is better than both of them, so whatever.
<br><br>Anyways, this is about as bad as it's going to get for Vista. Nobody is going to publicly announce vulnerabilities for it. Instead, they'll sell them and/or use them. Atlas shrugged a long time ago and the security industry is just now noticing.
<br><br>-dave<br><br><br><br><br><div><span class="gmail_quote">On 2/2/07, <b class="gmail_sendername">George Ou</b> <<a href="mailto:george_ou@lanarchitect.net">george_ou@lanarchitect.net</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Here's the round up on news coverage on this flaw.<br><a href="http://blogs.techrepublic.com.com/Ou/?p=420">http://blogs.techrepublic.com.com/Ou/?p=420</a><br><a href="http://blogs.zdnet.com/Ou/?p=420">http://blogs.zdnet.com/Ou/?p=420
</a><br><br>"The fundamental problem here is that Microsoft "extended" speech to be able<br>to control the Operating System and Applications without considering the<br>full security implications. If Microsoft had merely assigned a user-defined
<br>password with an automatic lockout after a certain amount of idle time, it<br>would have made the generic attack impossible but they failed do that. So<br>I'm asking Microsoft to reconsider their stance that "there is little if any
<br>need to worry" and implement some sort of safety mechanism rather than<br>relying on the user to be self vigilant. It doesn't matter that there<br>aren't that many people using this feature; Microsoft should fix it if
<br>they're going to offer it and market it as a key Vista advantage. Since<br>Microsoft is promoting Voice recognition for healthcare, we should consider<br>the safety of patient health records.<br><br>At present time, Vista Speech Recognition wakes up to the command "start
<br>listening". How hard would it be for Microsoft to make that a<br>user-definable phrase or word? For example: A user would pick "Zelda" as<br>the word to wake speech mode while someone else picks "439" as their wake
<br>word. How hard would it be for Microsoft to implement a wake timeout so<br>that Speech Recognition would sleep after 5 minutes idle? How hard would it<br>be for Microsoft to implement their excellent echo cancellation algorithm in
<br>Windows Messenger for Speech Recognition? I don't believe this is too much<br>to ask."<br><br><br>I want to thank the SANS Institute guys for "getting it". Coming from them,<br>that means something to me.
<br><br><br>I'm also running a poll at the end asking if Microsoft should patch this<br>with a pass phrase and echo cancellation.<br><br><br><br>George Ou<br><br>_______________________________________________<br>Dailydave mailing list
<br><a href="mailto:Dailydave@lists.immunitysec.com">Dailydave@lists.immunitysec.com</a><br><a href="http://lists.immunitysec.com/mailman/listinfo/dailydave">http://lists.immunitysec.com/mailman/listinfo/dailydave</a><br>
</blockquote></div><br>