toggle quoted message
Show quoted text
I question even discussing this in a manner that may make people
inexperienced with using the registry think that maybe they should
do so. If I don't know something, I'd be glad to find out, but
these lock screen vulnerabilities appear to me to be so obscure and
unlikely to be exploited that the risk is 0 for most users.
Here is an excerpt from a recent Microsoft security bulletin about
such a vulnerability. It requires someone to have physical access
to the person's computer and, of course, to know about the
vulnerability and how to exploit it.
An elevation of privilege vulnerability exists when Windows
improperly allows web content to load from the Windows lock screen.
To exploit the vulnerability, an attacker with physical access to a
user’s computer could either connect to a maliciously configured
WiFi hotspot or insert a mobile broadband adaptor in the user’s
computer. An attacker who successfully exploited the vulnerability
could potentially execute code on a user's locked computer.
This sounds to me to be a vulnerability to be of interest to those
worrying about espionage or industrial espionage, not remotely to
almost all users.
Also, a patch for this Windows vulnerability has been distributed in
I haven't checked the rest, but the first two vulnerabilities in
NVDA required someone to have access to the computer as well, to
know about the vulnerability and how to exploit it. I have no
objection to offering security updates to NVDA but I don't think
discussing disabling the lock screen is a good idea. I don't think
people should take even small risks when there is no benefit and I
don't think there is any benefit to most or perhaps even just about
On 10/20/2022 2:26 AM, Cyrille via groups.io wrote:
Quentin, you have copied the content of a security advisory.
However security advisories and "In-Process" do not target the
I do not know if In-Process are usually edited after having been
released but this case would be an opportunity.
If possible, I would:
1. put the .reg file option before the manual registry edition
2. put a big warning for people before editing the registry as we
can find everywhere (e.g. here)
on the internet when dealing with registry edition.
3. fix the steps with the correct wording (key instead of folder)
and make the steps according to what is most commonly found
("Personalizatino" missing); people already having the
"Personalization" key can just ignore the step for creating it.
3 bis. Remove the steps to edit the registry and just link the
On Thu, Oct 20, 2022 at 04:48 AM, Quentin Christensen wrote:
Thanks for the help for William on this one - I must
admit, I just copied those steps from a previous
recommendation we had put up with another security fix
related to the lock screen. I had a lot of content this
week (and already a few items held over for the next post)
so I didn't analyse those steps as closely as I might have
another time. I did note that the steps weren't as fully
written as I would have with every keystroke, although being
the registry, my original thought was that people should
know what they are doing before going in and editing it -
but then again maybe that is just more reason why the steps
should be provided in full as well...
By the way, I have yet to
encounter any Windows 10 machine in its default state
that will have a Personalization subkey under the Registry
Count on having to follow my previously noted steps to
create it and set its value to 1.
Brian - Virginia,
USA - Windows
10, 64-Bit, Version 22H2, Build 19045
There are many people who can only make
themselves feel better about themselves by making
themselves feel better than others.
~ Commenter Looking_in on the Washington
Training and Support Manager