Re: In-Process is out


I question even discussing this in a manner that may make people inexperienced with using the registry think that maybe they should do so.  If I don't know something, I'd be glad to find out, but these lock screen vulnerabilities appear to me to be so obscure and unlikely to be exploited that the risk is 0 for most users.

Here is an excerpt from a recent Microsoft security bulletin about such a vulnerability.  It requires someone to have physical access to the person's computer and, of course, to know about the vulnerability and how to exploit it.
An elevation of privilege vulnerability exists when Windows improperly allows web content to load from the Windows lock screen. To exploit the vulnerability, an attacker with physical access to a user’s computer could either connect to a maliciously configured WiFi hotspot or insert a mobile broadband adaptor in the user’s computer. An attacker who successfully exploited the vulnerability could potentially execute code on a user's locked computer.

This sounds to me to be a vulnerability to be of interest to those worrying about espionage or industrial espionage, not remotely to almost all users.
Also, a patch for this Windows vulnerability has been distributed in Windows update.

I haven't checked the rest, but the first two vulnerabilities in NVDA required someone to have access to the computer as well, to know about the vulnerability and how to exploit it.  I have no objection to offering security updates to NVDA but I don't think discussing disabling the lock screen is a good idea.  I don't think people should take even small risks when there is no benefit and I don't think there is any benefit to most or perhaps even just about all users.

On 10/20/2022 2:26 AM, Cyrille via wrote:


Quentin, you have copied the content of a security advisory. However security advisories and "In-Process" do not target the same audience.
I do not know if In-Process are usually edited after having been released but this case would be an opportunity.

If possible, I would:
1. put the .reg file option before the manual registry edition option
2. put a big warning for people before editing the registry as we can find everywhere (e.g. here) on the internet when dealing with registry edition.
3. fix the steps with the correct wording (key instead of folder) and make the steps according to what is most commonly found ("Personalizatino" missing); people already having the "Personalization" key can just ignore the step for creating it.
3 bis. Remove the steps to edit the registry and just link the security advisory.



On Thu, Oct 20, 2022 at 04:48 AM, Quentin Christensen wrote:
Thanks for the help for William on this one - I must admit, I just copied those steps from a previous recommendation we had put up with another security fix related to the lock screen.   I had a lot of content this week (and already a few items held over for the next post) so I didn't analyse those steps as closely as I might have another time.  I did note that the steps weren't as fully written as I would have with every keystroke, although being the registry, my original thought was that people should know what they are doing before going in and editing it - but then again maybe that is just more reason why the steps should be provided in full as well...

On Thu, Oct 20, 2022 at 12:01 PM Brian Vogel <britechguy@...> wrote:
By the way, I have yet to encounter any Windows 10 machine in its default state that will have a Personalization subkey under the Registry Key, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows.

Count on having to follow my previously noted steps to create it and set its value to 1.

Brian Virginia, USA  Windows 10, 64-Bit, Version 22H2, Build 19045  

There are many people who can only make themselves feel better about themselves by making themselves feel better than others.

    ~ Commenter Looking_in on the Washington Post, 7/10/2014



Quentin Christensen
Training and Support Manager

Join { to automatically receive all group messages.