I’ve been trying to sort out my opinion on how worried I think we should be over the Microsoft Vista speech recognition security hole as reported here by the BBC. On the one hand it would appear to be a “technically possible” but unlikely risk, on the other hand after hearing so much about how secure Vista is going to be and drinking the “trustworthy computing initiative” cool-aid I’m concerned that we will see a lot more reports of Vista security problems. SC magazine report Microsoft’s Adrian Stone as saying “While we are taking the reports seriously and investigating them accordingly, I am confident in saying that there is little, if any, need to worry about the effects of this issue on your new Windows Vista installation.” Well, that’s all fair enough and I don’t doubt Adrian’s word however, I do think that there is cause to be worried.
The reason is that despite the focus on quality of code, the embedded security within the lifecycle, the review and testing process, the whole focus on security, security and more security from Microsoft, a few days after release of their new flagship consumer product, an exploit is apparently discovered that might allow someone to delete files simply by uttering the word “delete.”
More to the point though, it’s not just Vista that I’m worried about because this is evidence that despite all the best efforts – and I give Microsoft a good deal of credit for their security initiatives and have mentioned before how much value I get from their associated tools such as the threat modelling software – having a goal of eradicating all security bugs is going to be nigh on impossible to achieve.
The nay-sayers will continue to try to put Vista down. Personally I’m with Ed Bott and his blog on the features that sell the software but I hope that he hasn’t spoken too soon when he says there there has so far been no “devastating security breaches.” However, from a risk management perspective, the jury is going to still be out for a while. Richard Stiennon of Fortinet, who keeps a blog here makes the comment that reportedly “you can already purchase Vista zero day exploits on the web.” Now, while I’m generally suspicious of comments made by a vendor of IPS solutions for problems that would be resolved by an IPS solution I have some measure of respect for Richard’s opinion.
So, this is a rather garbled, unstructured, blog entry on a subject that will remain a topic of debate and discussion. Maybe it will have triggered one or two questions in your own mind. To close this one off I’ll refer you to Mark Curphey’s other blog and this amusing cartoon take on Microsoft’s entry into the desktop security market…