Wednesday, January 31, 2007

i think i 'hear' a malicious program

an interesting story that's come out of the recent vista release concerns the ability for a web page with an audio file to execute commands on the user's system through the speech recognition (not to be confused with voice recognition, though it often is)...

now, you may recall that i define a program as a collection of instructions meant to be executed or interpreted by the computer for the purposes of carrying out a task... microsoft has just made audio files (regardless of the specific file format) into programs with this speech recognition implementation... by that i mean that audio files can now contain instructions that the computer is able to interpret and carry out (in fact, the same holds true for video files - vista meet youtube)...

this is significant because audio (and video) files in general were not previously considered to be active/executable content... sure there have been cases of vulnerabilities in various media players being exploited in order to launch arbitrary code, or even specific formats allowing the embedding of instructions such as javascript within them, but those were isolated incidents... now all audio/video content, regardless of format, is potentially a program under vista and that is a malware vector that no average person will be expecting...

the technical potential for abuse is sizable but there are some practical limitations - obviously a computer is going to need speakers (quite common) and a microphone (not exactly unheard of) and speech recognition will need to be enabled and configured in order for it to mistake multi-media content for legitimate user commands... anyone who uses speech recognition is going to have it enabled and configured and they're going to have a microphone - and since most people also have speakers, most speech recognition users are going to be vulnerable to this form of remote code execution...

now, vista also has something called user access control (aka UAC, where potentially dangerous tasks require the user to type in the administrative password) and as has been said elsewhere this should limit the damage that multi-media malware can do but imagine the new social engineering opportunities for something like this... imagine you're browsing along and all of a sudden out of nowhere a voice starts speaking to you... he says his name is carl and he works for microsoft as part of their new remote system maintenance and repair service that they're rolling out with windows vista... he says microsoft's servers detected a problem on your machine and in order to fix it he's going to download and install a repair tool that will require your administrative password... do you think people would fall for this kind of multi-media downloader trojan? i have a sneaking suspicion some might - after all, people are still unzipping and executing attachments they get in email without verifying the intent of the sender (speaking of email, i wonder if multi-media files are among the content vista's email client tries to block)...

while we're dreaming up scenarios which may or may not be plausible, let's consider who many of the speech recognition users are going to be... speech recognition is something that greatly benefits those with special accessibility needs... another accessibility technology is the text-to-speech engine that visually impaired computer users use in order to have the textual content on the screen read out to them... if these two technologies get used together then even plain english (or whatever other natural language you happen to use) text could become a program or, worse still, malware (somehow i can't see vista's email client blocking text content)... this takes the complaint about microsoft violating the principle of separating data from code to a whole new level...

0 comments: