Re: In-Process is out
|
Gene
I question even discussing this in a manner that may make people
inexperienced with using the registry think that maybe they should
do so. If I don't know something, I'd be glad to find out, but
these lock screen vulnerabilities appear to me to be so obscure and
unlikely to be exploited that the risk is 0 for most users.
toggle quoted message
Show quoted text
Here is an excerpt from a recent Microsoft security bulletin about such a vulnerability. It requires someone to have physical access to the person's computer and, of course, to know about the vulnerability and how to exploit it. https://learn.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-112 An elevation of privilege vulnerability exists when Windows improperly allows web content to load from the Windows lock screen. To exploit the vulnerability, an attacker with physical access to a user’s computer could either connect to a maliciously configured WiFi hotspot or insert a mobile broadband adaptor in the user’s computer. An attacker who successfully exploited the vulnerability could potentially execute code on a user's locked computer. This sounds to me to be a vulnerability to be of interest to those worrying about espionage or industrial espionage, not remotely to almost all users. Also, a patch for this Windows vulnerability has been distributed in Windows update. I haven't checked the rest, but the first two vulnerabilities in NVDA required someone to have access to the computer as well, to know about the vulnerability and how to exploit it. I have no objection to offering security updates to NVDA but I don't think discussing disabling the lock screen is a good idea. I don't think people should take even small risks when there is no benefit and I don't think there is any benefit to most or perhaps even just about all users. Gene On 10/20/2022 2:26 AM, Cyrille via groups.io wrote: Hello |
|
|