While the Mac OS has not yet been exposed to a virus or other malware that could actually spread and be a threat to anyone, there have been many “proof of concept” hacks and a host of “vulnerabilities,” or potential attacks that were never actually carried out. Many of these depended on a set of highly unlikely circumstances, like having two Bluetooth-enabled Macs which had not been software-updated within the past eight months operating in the same room with Bluetooth set to “Discoverable” and one of the owners foolish enough to manually allow a reported “device” that did not exist to be accepted by the computer.

Well, now Vista has joined that club–albeit in a way that makes Microsoft seem a hell of a lot more stupid than Apple ever looked. A new vulnerability reported on Vista just a few days after its release involves the OS’s speech recognition. Now, speech recognition on a Mac requires a keyboard button to be depressed while a command is given (with an option to instead have the user to speak a definable keyword before the spoken command). This is to ensure that speech commands will not be taken by the computer by mistake when the feature is turned on.

Apparently Microsoft didn’t take these rather obvious security steps. It seems that when Vista’s speech recognition is turned on and a microphone is active (which is usually the case, if there is a built-in mic), any speech that matches the commands in the computer’s vocabulary will be executed.

The potential hack: a sound file which starts giving speech commands to open Windows Explorer and delete files. Delivery is simple: a web site that starts playing a sound file when you arrive there. It could also be delivered in any number of other ways, including fake song files that begin with real music and then start issuing voice commands, or even a malware solution of some sort.

Now, like many of the Mac vulnerabilities, this Vista vulnerability is highly unlikely. While it will be common to find Vista users with active speakers and mics, it would be less common to find users who have speech recognition turned on. But the greatest unlikelihood would be the user who would just sit there and watch while their computer started speaking to itself, giving commands to delete files.

Now, on the other hand, this set of events is not impossible by a long shot. I have known a good many people who are computer-unsavvy enough that they’d be stymied long enough not to know what to do if their computer started doing that. Alternately, some users could be unlucky enough to be out of the room when the commands started being issued. Unlikely, yes, but not impossible. Still, I would doubt that this will ever really hit anyone.

Regardless of whether the hack ever happens or succeeds, the fact remains that it makes Microsoft look really stupid. I mean, that a computer’s security system could be overridden by a frickin’ sound file is just embarrassing. In their defense, Microsoft points out that because Vista no longer makes the primary user the system administrator by default, only files in the user’s directories can be affected. Which is small consolation, as that represents all the personal files of the user; it just means that Vista itself will not be hurt. Whoopee.

Of course, there is one other thing that makes the exploit truly unlikely: Vista’s speech recognition sucks. Okay, commonly available speech recognition all sucks, but Vista is certainly no exception, as this demo gone awry which I reported on six months ago clearly shows. Nevertheless, some people reported actually being able to make the sound file hack work.

It should also be pointed out that Vista is still vulnerable to some of the most common pre-exiting malware, which can blow through Vista’s much-ballyhooed defenses, and that Vista is not exactly immune to the host of new viruses that will inevitably appear in the coming months.